https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420003#M73981 <P>Hey,</P> <P>Splunk should handle that automatically:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6193iC5C0BCFB2D8CC6D5/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>What exactly is not working at your side?</P> Wed, 05 Dec 2018 07:36:15 GMT bjoernjensen 2018-12-05T07:36:15Z https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420002#M73980 <P>How do you extract a timestamp in an event like this "2018-12-05T00:31:03.711Z"?</P> <P>Like, what do we need to write in TIME_FORMAT in props.conf?</P> Wed, 05 Dec 2018 07:29:35 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420002#M73980 vishaltaneja070 2018-12-05T07:29:35Z https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420003#M73981 <P>Hey,</P> <P>Splunk should handle that automatically:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6193iC5C0BCFB2D8CC6D5/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>What exactly is not working at your side?</P> Wed, 05 Dec 2018 07:36:15 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420003#M73981 bjoernjensen 2018-12-05T07:36:15Z https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420004#M73982 <P>Hope this should work..</P> <PRE><CODE>[&lt;sourcetype&gt;] SHOULD_LINEMERGE = false TIME_PREFIX = ^\" TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z MAX_TIMESTAMP_LOOKAHEAD = 25 </CODE></PRE> Sat, 08 Dec 2018 02:18:01 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420004#M73982 prakash007 2018-12-08T02:18:01Z https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420005#M73983 <P>I think you're asking how Splunk identifies the timestamp in the raw logs rather than how Splunk extracts it</P> Sat, 08 Dec 2018 20:39:45 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420005#M73983 skoelpin 2018-12-08T20:39:45Z https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420006#M73984 <P>No, no, no! Never, EVER let Splunk do anything related to timestamping or sourcetyping automatically!</P> Sat, 08 Dec 2018 22:11:54 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420006#M73984 woodcock 2018-12-08T22:11:54Z https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420007#M73985 <P>Correct. ALWAYS explicitly tell Splunk how to line break and timestamp </P> Sat, 08 Dec 2018 23:38:34 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420007#M73985 skoelpin 2018-12-08T23:38:34Z https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420008#M73986 <P>Hi @vishaltaneja07011993! Can you post one whole event? Because it matters where the timestamp is situated in the event and you might need to configure TIME_PREFIX accordingly.</P> Mon, 10 Dec 2018 21:54:11 GMT https://community.splunk.com/t5/Getting-Data-In/What-do-we-need-to-write-in-TIME-FORMAT-in-props-conft-to/m-p/420008#M73986 whrg 2018-12-10T21:54:11Z