https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-recognise-epoch-time/m-p/143441#M29291 <P>It would be helpful if you post the format that you tried in props.conf.</P> <P>It should be as follows:</P> <PRE><CODE>TIME_FORMAT = %s.%6N </CODE></PRE> Fri, 15 Nov 2013 01:43:53 GMT adrianathome 2013-11-15T01:43:53Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-recognise-epoch-time/m-p/143439#M29289 <P>I have a static JSON file (240k lines) I would like to index. Here's a the format:</P> <P>{"name":"fuel_level","value":88.260948,"timestamp":1362061287.027000}<BR /> {"name":"fuel_level","value":88.260948,"timestamp":1362061287.035000}<BR /> {"name":"fuel_level","value":88.260948,"timestamp":1362061287.064000}<BR /> {"name":"fuel_level","value":88.260948,"timestamp":1362061287.098000}<BR /> {"name":"fuel_level","value":88.260948,"timestamp":1362061287.110000}<BR /> {"name":"fuel_level","value":88.260948,"timestamp":1362061287.143000}<BR /> {"name":"fuel_level","value":88.260948,"timestamp":1362061287.154000}<BR /> {"name":"fuel_level","value":88.260948,"timestamp":1362061287.177000}</P> <P>In the data preview mode Splunk is assigning the timestamp based on the last time the file was changed, not the timestamp variable of the event.</P> <P>How can I get Splunk (using 6) to recognise the timestamp of the event?</P> <P>i've tried playing with the ../props.conf file based on previous answers but have been unsuccessful so far.</P> Mon, 28 Sep 2020 15:17:11 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-recognise-epoch-time/m-p/143439#M29289 himynamesdave 2020-09-28T15:17:11Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-recognise-epoch-time/m-p/143440#M29290 <P>Check out <A href="http://docs.splunk.com/Documentation/Splunk/6.0/admin/Propsconf">props.conf docs</A> and read the <CODE>Timestamp extraction configuration</CODE> section.</P> <P>The likely answer is in this part:</P> <PRE><CODE>TIME_FORMAT = &lt;strptime-style format&gt; * Specifies a strptime format string to extract the date. * strptime is an industry standard for designating time formats. * For more information on strptime, see "Configure timestamp recognition" in the online documentation. * TIME_FORMAT starts reading after the TIME_PREFIX. If both are specified, the TIME_PREFIX regex must match up to and including the character before the TIME_FORMAT date. * For good results, the &lt;strptime-style format&gt; should describe the day of the year and the time of day. * Defaults to empty. </CODE></PRE> <P>This references the <A href="http://docs.splunk.com/Documentation/Splunk/6.0/Data/Configuretimestamprecognition">Configure timestamp recognition</A> docs which should help you tons, especially the <A href="http://docs.splunk.com/Documentation/Splunk/6.0/Data/Configuretimestamprecognition#Enhanced_strptime.28.29_support">Enhanced strptime() support</A> part.</P> Fri, 15 Nov 2013 00:32:44 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-recognise-epoch-time/m-p/143440#M29290 jtrucks 2013-11-15T00:32:44Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-recognise-epoch-time/m-p/143441#M29291 <P>It would be helpful if you post the format that you tried in props.conf.</P> <P>It should be as follows:</P> <PRE><CODE>TIME_FORMAT = %s.%6N </CODE></PRE> Fri, 15 Nov 2013 01:43:53 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-recognise-epoch-time/m-p/143441#M29291 adrianathome 2013-11-15T01:43:53Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-recognise-epoch-time/m-p/143442#M29292 <P>Thanks! This is what I was originally trying, my mistake was not declaring:</P> <P>TIME_PREFIX="timestamp":</P> Fri, 15 Nov 2013 15:45:51 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-get-Splunk-to-recognise-epoch-time/m-p/143442#M29292 himynamesdave 2013-11-15T15:45:51Z