<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: source type for 13 digit epoch in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653436#M110834</link>
    <description>&lt;P&gt;well, heck, I believe this worked!&amp;nbsp; Thank you!&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
    <pubDate>Mon, 07 Aug 2023 15:54:06 GMT</pubDate>
    <dc:creator>loganramirez</dc:creator>
    <dc:date>2023-08-07T15:54:06Z</dc:date>
    <item>
      <title>How to create source type for 13 digit epoch?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653433#M110831</link>
      <description>&lt;P&gt;I have json data coming in that contains a 13 digit epoch value in eventTime, but %s appears to only support 10 digits (&lt;A href="https://docs.splunk.com/Documentation/Splunk/8.2.8/Data/Configuretimestamprecognition?ref=hk" target="_blank" rel="noopener"&gt;https://docs.splunk.com/Documentation/Splunk/8.2.8/Data/Configuretimestamprecognition?ref=hk&lt;/A&gt;)&lt;/P&gt;
&lt;P&gt;What i'm trying to do is create a source type that will set _time to the value in eventTime when consumed, but struggling to solve it.&lt;/P&gt;
&lt;P&gt;I did try setting TIMESTAMP_FIELDS to eventTime and then TIME_FORMAT to %s, but that did not work.&lt;BR /&gt;&lt;BR /&gt;But, I also manually added a 10 digit epoch and it still did not work, so maybe i'm just chasing the wrong idea.&lt;BR /&gt;&lt;BR /&gt;I also tried 'AUTO' but it did not find it.&lt;/P&gt;
&lt;P&gt;Looking to learn!&amp;nbsp; Thank you!&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 07 Aug 2023 19:28:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653433#M110831</guid>
      <dc:creator>loganramirez</dc:creator>
      <dc:date>2023-08-07T19:28:37Z</dc:date>
    </item>
    <item>
      <title>Re: source type for 13 digit epoch</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653434#M110832</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242594"&gt;@loganramirez&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;please, use this TIME_FORMAT:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;TIME_FORMAT = %s%3N&lt;/LI-CODE&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Mon, 07 Aug 2023 15:47:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653434#M110832</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2023-08-07T15:47:10Z</dc:date>
    </item>
    <item>
      <title>Re: source type for 13 digit epoch</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653435#M110833</link>
      <description>&lt;P&gt;Want to note that I also found this:&lt;BR /&gt;&lt;A href="https://community.splunk.com/t5/Getting-Data-In/How-to-assign-custom-JSON-field-with-epoch-time-as-the-timestamp/m-p/151505" target="_blank"&gt;https://community.splunk.com/t5/Getting-Data-In/How-to-assign-custom-JSON-field-with-epoch-time-as-the-timestamp/m-p/151505&lt;/A&gt;&lt;/P&gt;&lt;P&gt;&lt;BR /&gt;And my raw json looks like:&lt;BR /&gt;"eventTime": 1691354089743,&lt;BR /&gt;&lt;BR /&gt;So I also tried&lt;/P&gt;&lt;P&gt;TIMESTAMP_FIELDS: eventTime&lt;BR /&gt;TIME_FORMAT: %s%3N&lt;BR /&gt;TIMESTAMP_PREFIX: \"eventTime\":&lt;BR /&gt;KV_MODE: json&lt;BR /&gt;&lt;BR /&gt;But still getting the orange exclamation mark.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 07 Aug 2023 15:50:15 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653435#M110833</guid>
      <dc:creator>loganramirez</dc:creator>
      <dc:date>2023-08-07T15:50:15Z</dc:date>
    </item>
    <item>
      <title>Re: source type for 13 digit epoch</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653436#M110834</link>
      <description>&lt;P&gt;well, heck, I believe this worked!&amp;nbsp; Thank you!&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;</description>
      <pubDate>Mon, 07 Aug 2023 15:54:06 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653436#M110834</guid>
      <dc:creator>loganramirez</dc:creator>
      <dc:date>2023-08-07T15:54:06Z</dc:date>
    </item>
    <item>
      <title>Re: source type for 13 digit epoch</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653437#M110835</link>
      <description>&lt;P&gt;Hi&amp;nbsp;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/242594"&gt;@loganramirez&lt;/a&gt;,&lt;/P&gt;&lt;P&gt;please try using the default for json and my TIME_FORMAT:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;[your_sourcetype]
TIME_FORMAT: %s%3N
TIMESTAMP_PREFIX: \"eventTime\":
KV_MODE: none
INDEXED_EXTRACTIONS = json&lt;/LI-CODE&gt;&lt;P&gt;Ciao.&lt;/P&gt;&lt;P&gt;Giuseppe&lt;/P&gt;</description>
      <pubDate>Mon, 07 Aug 2023 15:54:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-create-source-type-for-13-digit-epoch/m-p/653437#M110835</guid>
      <dc:creator>gcusello</dc:creator>
      <dc:date>2023-08-07T15:54:47Z</dc:date>
    </item>
  </channel>
</rss>

