Topics

| pdf version

Overview

Setting Up Data Inputs

Authentication

Changing the Way Splunk Processes Your Data

Creating and Using Configuration Bundles

Configuring Your Sources

Splunk-2-Splunk Management

Integration

Managing Your Filesystem

How-To's


Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

Setting dates in timestamps

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6

Setting dates in timestamps

Whenever the Splunk Server begins to index a new source, it sets timestamps in this order:


  • It sets the current date as a fallback date.
  • It then attempts to extract a date in the "source::" string. If it succeeds, it sets that date as the fallback date.
  • When timestamping each event, if it has a date, that date is used and becomes the new fallback date.
  • If an event's timestamp has a time but no date, the fallback date is used.
Retrieved from "http://www.splunk.com/base/Documentation/2.2.6/Admin/SettingDatesInTimestamps"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.