TechQA.

Splunk - Adjusting source file timestamp

281 views Asked by At

Given:

  • I have two log files (file_1, file_2)
  • Each from a different server (server_1, server_2).
  • The servers are not property synchronized via ntpd. (Example: server_1 is 13 seconds ahead of server_2.)
  • I do not have the ability to adjust or correct the server times.
  • I am the Splunk user, not the Splunk administrator.

Problem: After ingesting each of the log files, the events are off by 13 seconds (obviously).

Question: Can I adjust the _time for all events in source=file_2 by 13 seconds so the events line up correctly in search results, graphs, etc.?

(Note: this is a simple break down of the more complex problem. I have thousands of logs from hundreds of servers. I cannot simply re-run/create these logs.)

timestamp splunk adjustment
Original Q&A
1

There are 1 answers

0
Alec Collier On BEST ANSWER

You can do set the Splunk timestamp to whatever you want simply be overwriting the _time field for those events:

<any base search> source=file_2  | eval _time=_time+13

We can use an eval if statement to view all events and update the time only for file_2

<any base search> | eval _time=if(source=="file_2", _time+13, _time)

Related Questions in TIMESTAMP

Related Questions in SPLUNK

Related Questions in ADJUSTMENT

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions