topic Re: Setting the time-stamp recognition in Getting Data In

Setting the time-stamp recognition

fridays — Fri, 25 Aug 2017 05:52:41 GMT

We have"event": 1503162120.971 event=login fI="2017-05-31 23:21:22.000"... u_wl=25 uid=6da2479a-2b79-3c7a-8450-30c2d4592ea2 - He did not recognize the first field as 1503162120.971 as the _time event, but the line 2017-05-31 23: 21: 22.000 And the problem is observed exactly in the lines where here 2017-05-31 23: 21: 22.000 at the end. If it was 2017-05-31 23: 21: 22.100 then it works right. Because of this, a lot of events left for us in the wrong _time. How to wipe the definition of Timestamp on the first parameter (sequence of numbers before the space) How to make the current data already loaded into the spline become normal?

Re: Setting the time-stamp recognition

ColinCH — Tue, 29 Sep 2020 15:30:25 GMT

You can add on the Indexing-Server following line to props.conf

[sourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 15

Then Splunk parse only the first 15 characters for the timestamp. Splunk should known the unix-timestamp already.

http://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Propsconf#Timestamp_extraction_configuration

For Events that already in in Splunk you can change it at search time with something like that:

| rex "(?yourregularexpresson)" | eval _time = yourtimefield(order_date,"%s")

Re: Setting the time-stamp recognition

gcusello — Fri, 25 Aug 2017 07:41:46 GMT

Hi fridays,
did you tried to put in your props.conf

[your_sourcetype]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=15

Bye.
Giuseppe

Re: Setting the time-stamp recognition

fridays — Fri, 25 Aug 2017 11:52:04 GMT

It work's. Thank you.