Setting dates in timestamps

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Setting dates in timestamps

Whenever the Splunk Server begins to index a new source, it sets timestamps in this order:

It sets the current date as a fallback date.
It then attempts to extract a date in the "source::" string. If it succeeds, it sets that date as the fallback date.
When timestamping each event, if it has a date, that date is used and becomes the new fallback date.
If an event's timestamp has a time but no date, the fallback date is used.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2.6/Admin/SettingDatesInTimestamps"

« Reduce indexing density How to include a date column in reports »

This documentation applies to the following versions of Splunk: 2.1 , 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.

Was this topic useful?
Post a comment

You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Admin Manual

Setting dates in timestamps

Setting dates in timestamps

Comments