Solved: Configure Timestamp field

klausJohan · ‎12-13-2013

Hello all,

Suppose I index JSON objects into Splunk and that each of these objectst has a timestamp key. What input should there be in the props.conf file in order for Splunk to automatically configure the default timestamp field to the previous mentioned JSON key ?

Thanks

gfuente · ‎12-13-2013

Hello

then you need to use:

TIME_PREFIX=stats_time\s:\s
TIME_FORMAT=%s

Try it and let me know if it worked

View solution in original post

gfuente · ‎12-13-2013

Hello

then you need to use:

TIME_PREFIX=stats_time\s:\s
TIME_FORMAT=%s

Try it and let me know if it worked

gfuente · ‎12-13-2013

What field?

Try _time field instead

Or look at the timestamp located at the left side of the event in the flashtimeline view

klausJohan · ‎12-13-2013

Unfortunately I still see that the timestamp field gets filled with 'none' only .

klausJohan · ‎12-13-2013

Indexed events look like this:

{
name : "PA",
id : "5",
........
stats_time : 1386940477673,
........
type : "Port"
}

"stats_time" is the key that I'm interested in to be rolled into the timestamp default field.

gfuente · ‎12-13-2013

Please include a sample event

Configure Timestamp field

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation