Having issues getting time right.
My time is currently being populated by file creation time & not the 2nd column of the CSV file.
In troubleshooting, I've extracted time out a couple times.
DATE_ 2016-08-25 01:05:00 PM
extractDATE 2016-08-25 01:05:00 PM
but even though in props.conf, I've tried to assign either to the time value- it doesn't seem to have an effect after Splunk restart and addition of new files.
Props shows
TIMESTAMP_FIELDS = extractDATE
the time shows as
Time _time 2016-08-25T13:39:02.000-07:00
I've successfully assigned timestamp, but that doesn't show well in a timechart.
I've looked for other ways to assign @ search time such as an eval command to assign time, but that clobbers the time all together
Is there a manual way to assign time to a field in the GUI or at search time? hard to figure out what I'm doing wrong here.
↧