Solved: How to transform multiple timestamps in an event

MOHITJOSHI · ‎11-18-2019

I have an event that prints the actual time which Splunk metadata has, but instead, I want to use the other timestamp.
Splunk time shows 8/15/18
2:12:44.000 PM which it extracts from the Verbose line but I am interested to use the ZZZ-20190802-13:18:06-0000000001-3820-0 so that my Splunk time is based on ZZZ field

VERBOSE abc 08/15/18 18:12:44 xyz
DETAILS abc123 0.594s abc: 0.336s :abc: 0.001s ZZZ-20190802-13:18:06-0000000001-3820-0

MuS · ‎11-18-2019

Hi MOHITJOSHI,

try this in props.conf for that sourcetype:

[YourSourcetypeNameHere]
TIME_PREFIX = ZZZ-
TIME_FORMAT = %Y%m%d-%H:%M:%S-

Save this on the first full Splunk instance that receives the events and restart the instance, any new incoming events should have the second timestamp as their _time field.

Hope this helps ...

cheers, MuS

View solution in original post

MuS · ‎11-18-2019

Hi MOHITJOSHI,

try this in props.conf for that sourcetype:

[YourSourcetypeNameHere]
TIME_PREFIX = ZZZ-
TIME_FORMAT = %Y%m%d-%H:%M:%S-

Save this on the first full Splunk instance that receives the events and restart the instance, any new incoming events should have the second timestamp as their _time field.

Hope this helps ...

cheers, MuS

How to transform multiple timestamps in an event

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms