topic Re: epoch time stamps not being indexed in Getting Data In

epoch time stamps not being indexed

smudge797 — Thu, 15 May 2014 17:46:04 GMT

Im having trouble ingesting these logs with the following format:

{"order":{"custom..........ntType":1,"timestamp":1400083389834}

i.e.
START:
{"order":{
END:
"timestamp":}

Splunk is having issues with the content of the event and the time stamp. Any help much appreciated!

Re: epoch time stamps not being indexed

somesoni2 — Thu, 15 May 2014 18:05:37 GMT

Try these in your props.conf

[Yoursourcetype]
BREAK_ONLY_BEFORE=\{\"order\"
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_PREFIX=\"timestamp\":

Re: epoch time stamps not being indexed

richgalloway — Thu, 15 May 2014 18:10:37 GMT

Depending on the size of your log entries, you may also want to add MAX_TIMESTAMP_LOOKAHEAD to your props.conf file.

Re: epoch time stamps not being indexed

smudge797 — Thu, 15 May 2014 20:08:12 GMT

There can be around 3000 characters in each event and each time stamp is at the end?

Re: epoch time stamps not being indexed

somesoni2 — Mon, 28 Sep 2020 16:38:06 GMT

MAX_TIMESTAMP_LOOKAHEAD is property to indicate how long the timestamp field/value can be. E.g. in your example its 13 (no of digits in epoch time). If there are milliseconds there could be decimal point and 3 more digits. So it would be good idea to set this property to avoid capturing extra values. But since your timestamp is the last field in your event, it may not be necessary.