Manually identify time partition fields for a dataset with a Splunk-native data catalog

Manually identify time partition fields for an Amazon S3 dataset with a Splunk-native data catalog.

If you are defining an Amazon S3 dataset backed by a Splunk-native data catalog and you have selected Define partitions manually on the Configure dataset step, you can identify time partition fields in the Field list view, either as you add them to the list, or by editing the partition field list after it is created.
Note: This procedure covers identification of time partition fields with the Field list view. If you use the JSON view, you can also identify time partition fields. See JSON standards for the data and partition schemas.
  1. As you manually add or edit a partition field, select This is a time partition field to identify the field as a time partition field.
  2. When you identify a partition field as a time partition field, define its Time format with a time format variable string. Compose this time format string out of Splunk-supported time format variables, such as %Y for "year" values like 1980 or 2026, and %m for "month" values like 04 or 12. See Using time variables in the SPL2 Search Manual.
  3. As you add time partition fields, list them in the order that the fields appear in the Amazon S3 location path for the dataset. For more information, see Identify time partitions.
  4. If you manually add one or more time partition fields to your partition field list, select the Time zone that applies to those time partition fields.
  5. When you are finished adding fields, select Next to save your changes and go to the Update policies step.
Go to the Update policies step. See Apply the dataset resource access policy to an AWS IAM role.