Time-Date recognize Unix Epoch Time milliseconds

ryastrebov · ‎03-29-2013

Hello!
I have log contains time-date in Unix Epoch format (milliseconds).
One event fragments is:

04,013c5f8ecc0f,013c5f8ecd04,0038af,...

Desired date is contained in column 3 (013c5f8ecd04).

During indexing process Splunk some date perceive correctly, and some not. This values (013c5f8ecd04) Splunk understand as 11/28/11 10:53:54.000 PM. It is incorrect.

Necessary to date indexing perceived correctly.
How can this be done?

Best regards,
Roman

ryastrebov · ‎03-31-2013

Thanks for the warning! I do not know really how to correctly extract the information about the date and time from the field... Because in most cases the date is retrieved correctly.

sideview · ‎03-29-2013

beware when you do get it working correctly, your date_hour fields and all your date_* fields will be calculated as though you had set the timezone explicitly to GMT, which effectively means all your date_hour values will be off by whatever your timezone offset is, and all your other date_* fields will be slightly unreliable too. This has bitten me in the past.

yannK · ‎03-29-2013

Define a timeprefix and timeformat extraction in props.conf for this sourcetype
To verify use the data preview.

ryastrebov · ‎03-29-2013

Unlikely because in this file same part of the dates correctly perceived

eashwar · ‎03-29-2013

i hope it is because of the TIME ZONE configured incorrectly.

Time-Date recognize Unix Epoch Time milliseconds

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM