Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Setting timestamp to minus one month of ingestion

nabeel652
Builder
‎05-31-2017 04:17 PM

I am getting some csv files in start of each month but actually they are the billing data for the last month. I want to set the timestamp to last month not the month it is being ingested in. Any ideas how this can be done?

PS: there is no field in the files that I can set as timestamp neither I want to change the files.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-04-2017 10:29 PM

Given your constraints, it is not possible; you will have to pre-process your file with other software to modify it such that one of the other answers that will not work as-is, will work when-then.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-31-2017 06:51 PM

In props.conf:

[sourcetypeName]
DATETIME_CONFIG=NONE

This will work assuming the modified date of the file is last month.

0 Karma
Reply

nabeel652
Builder
‎05-31-2017 07:25 PM

No, unfortunately they get the file out of the system the first/second day of the month so the timestamp is current month

0 Karma
Reply

woodcock
Esteemed Legend
‎05-31-2017 04:40 PM

You can set the timestamp based on the filename so arrange to have the filenames as you like and do this:

http://answers.splunk.com/answers/40247/timestamp-from-file-name.html
http://answers.splunk.com/answers/94763/set-timestamp-based-on-file-source-path.html

Be sure to sent MAX_DAYS_PAST appropriately!

0 Karma
Reply

DalJeanis
Legend
‎06-04-2017 05:48 PM

@woodcock - what would be the proper stanzas to use SOURCE_KEY = _indextime to recalculate the _time? Like, how would you do the equivalent of this in an index-time transform?

_time=relative_time(_indextime,"-1mon@mon")

If you can't do anything so "programmatic" in a stanza, is there any place that you could get a SOURCE_KEY value that gave the first day (or last day) of the preceding month, in order to use it to override _time?

0 Karma
Reply

nabeel652
Builder
‎05-31-2017 07:26 PM

No, unfortunately they get the file out of the system the first/second day of the month so the timestamp is current month

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...