topic Re: Configure Timestamp field in Getting Data In

Configure Timestamp field

klausJohan — Fri, 13 Dec 2013 09:10:52 GMT

Hello all,

Suppose I index JSON objects into Splunk and that each of these objectst has a timestamp key. What input should there be in the props.conf file in order for Splunk to automatically configure the default timestamp field to the previous mentioned JSON key ?

Thanks

Re: Configure Timestamp field

gfuente — Fri, 13 Dec 2013 10:28:29 GMT

Please include a sample event

Re: Configure Timestamp field

klausJohan — Fri, 13 Dec 2013 13:18:26 GMT

Indexed events look like this:

{
name : "PA",
id : "5",
........
stats_time : 1386940477673,
........
type : "Port"
}

"stats_time" is the key that I'm interested in to be rolled into the timestamp default field.

Re: Configure Timestamp field

gfuente — Fri, 13 Dec 2013 13:35:38 GMT

Hello

then you need to use:

TIME_PREFIX=stats_time\s:\s
TIME_FORMAT=%s

Try it and let me know if it worked

Re: Configure Timestamp field

klausJohan — Fri, 13 Dec 2013 15:38:32 GMT

Unfortunately I still see that the timestamp field gets filled with 'none' only .

Re: Configure Timestamp field

gfuente — Fri, 13 Dec 2013 15:42:41 GMT

What field?

Try _time field instead

Or look at the timestamp located at the left side of the event in the flashtimeline view