https://community.splunk.com/t5/Getting-Data-In/How-to-recognize-event-time-that-is-embedded-in-json-string-in/m-p/57511#M11237 <P>That is basically right, but first, is this all on a single Splunk instance (no forwarder)? You should try:</P> <PRE><CODE>TIME_PREFIX = \"createTime\"\: TIME_FORMAT = %10s%3N MAX_TIMESTAMP_LOOKAHEAD = 15 </CODE></PRE> <P>instead of what you have above. I think the <CODE>TIME_PREFIX</CODE> you have should work anyway, but that the <CODE>TIME_FORMAT</CODE> might not be taking because <CODE>%s</CODE> is expecting epoch seconds, and your timestamp is milliseconds, which puts the date about 40,000 years in the future, which is outside of Splunk's default sanity limit. You might want to also try <CODE>%s%3N</CODE> for your <CODE>TIME_FORMAT</CODE> if the above doesn't work, or if you have dates either before Sep 8 2001 (9 digits) or dates after 2286.</P> Fri, 12 Aug 2011 20:22:56 GMT gkanapathy 2011-08-12T20:22:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-recognize-event-time-that-is-embedded-in-json-string-in/m-p/57510#M11236 <P>I'm using "From files and directories" --&gt; "Upload and index a file" to feed the data file. The file has data in following format.</P> <P>{ "_id": { "$oid": "4b97ca22729772ec85d48fc0"}, "subscriberId": "C10000235", "createTime": 1268238882453, "serviceGroup": "SGID0001", "sessionProtocolIndicator": null, "networkProxyId": "PROXY_001" }</P> <P>Search shows the following basic information:<BR /> host=srinidev sourcetype=sds3 source=sds3.out</P> <P>How can I get splunk (using 4.2.3) to recognize 1268238882453 as the date and use it as event time?</P> <P>I added a $SPLUNK_HOME/etc/local/props.conf file with these lines:</P> <P>[sds3]</P> <P>TIME_PREFIX = createTime</P> <P>TIME_FORMAT = %s</P> <P>I also added $SPLUNK_HOME/etc/apps/search/input.conf, but with not much success.</P> <P>Any help is greatly appreciated. Thanks.</P> Mon, 28 Sep 2020 09:47:59 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-recognize-event-time-that-is-embedded-in-json-string-in/m-p/57510#M11236 skericsson 2020-09-28T09:47:59Z https://community.splunk.com/t5/Getting-Data-In/How-to-recognize-event-time-that-is-embedded-in-json-string-in/m-p/57511#M11237 <P>That is basically right, but first, is this all on a single Splunk instance (no forwarder)? You should try:</P> <PRE><CODE>TIME_PREFIX = \"createTime\"\: TIME_FORMAT = %10s%3N MAX_TIMESTAMP_LOOKAHEAD = 15 </CODE></PRE> <P>instead of what you have above. I think the <CODE>TIME_PREFIX</CODE> you have should work anyway, but that the <CODE>TIME_FORMAT</CODE> might not be taking because <CODE>%s</CODE> is expecting epoch seconds, and your timestamp is milliseconds, which puts the date about 40,000 years in the future, which is outside of Splunk's default sanity limit. You might want to also try <CODE>%s%3N</CODE> for your <CODE>TIME_FORMAT</CODE> if the above doesn't work, or if you have dates either before Sep 8 2001 (9 digits) or dates after 2286.</P> Fri, 12 Aug 2011 20:22:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-recognize-event-time-that-is-embedded-in-json-string-in/m-p/57511#M11237 gkanapathy 2011-08-12T20:22:56Z https://community.splunk.com/t5/Getting-Data-In/How-to-recognize-event-time-that-is-embedded-in-json-string-in/m-p/57512#M11238 <P>Thanks. Still having trouble. So is etc/apps/search/input.conf necessary. I added following lines to that file. </P> <P>[monitor:///home/test/data/session_data.out]</P> <P>sourcetype = sds3</P> Sat, 13 Aug 2011 13:19:12 GMT https://community.splunk.com/t5/Getting-Data-In/How-to-recognize-event-time-that-is-embedded-in-json-string-in/m-p/57512#M11238 skericsson 2011-08-13T13:19:12Z