Documentation > Splunk > Admin Manual > How to include a date column in reports

Admin Manual

 


Overview
Setting Up Data Inputs
Authentication
Changing the Way Splunk Processes Your Data
Creating and Using Configuration Bundles
Configuring Your Sources
Splunk-2-Splunk Management
Integration
Managing Your Filesystem
How-To's

How to include a date column in reports

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

How to include a date column in reports

In order to include the timestamp from an event as a reportable column you will need to make the following configuration changes:


Edit $SPLUNK_HOME/etc/bundles/local/regexes.conf

Add the following stanza: 


[UTCtime]
SOURCE_KEY = _time
REGEX = (.*)
DEST_KEY = _meta
FORMAT = $0 utctime::$1

Edit $SPLUNK_HOME/etc/bundles/local/props.conf

Add the following stanza: 


[foo]
REGEXES = UTCtime

Where foo is the sourece/sourcetype/host that you want to have this property applied to.


Once you make these changes restart Splunk. All new data will include a utctime column when you run a report on the data.

Retrieved from "http://docs.splunk.com/Documentation/Splunk/2.2/Admin/HowToIncludeADateColumnInReports"

This documentation applies to the following versions of Splunk: 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!