I have a nice CEF file that parses quite nicely except the date is burred deep in the file and is in epoch milliseconds. The field name is start, how do I make that my datetime stamp when this indexes.
Thanks!
if your data timestamp, for example -
TIME:1459495744806
To extract that timestamp, add this stanza in props.conf:
[host::foo]
TIME_PREFIX = TIME:
TIME_FORMAT=%s%3N
%s -- for Epoch (10 digits) and %3N for milli-seconds
http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Configuretimestamprecognition
if you are having "1459495744806" inside an event and query and convert it to required timestamp -
| makeresults | fields - _time | eval timeTest = "1474993609302"
| eval timeStamp=strptime(timeTest,"%s%3N")
| eval timeStamp=strftime(timeStamp,"%m/%d/%Y:%H:%M:%S")
| table timeStamp
if your data timestamp, for example -
TIME:1459495744806
To extract that timestamp, add this stanza in props.conf:
[host::foo]
TIME_PREFIX = TIME:
TIME_FORMAT=%s%3N
%s -- for Epoch (10 digits) and %3N for milli-seconds
http://docs.splunk.com/Documentation/Splunk/6.4.3/Data/Configuretimestamprecognition
if you are having "1459495744806" inside an event and query and convert it to required timestamp -
| makeresults | fields - _time | eval timeTest = "1474993609302"
| eval timeStamp=strptime(timeTest,"%s%3N")
| eval timeStamp=strftime(timeStamp,"%m/%d/%Y:%H:%M:%S")
| table timeStamp