Solved: Configure Timestamp field

klausJohan · ‎12-13-2013

Hello all,

Suppose I index JSON objects into Splunk and that each of these objectst has a timestamp key. What input should there be in the props.conf file in order for Splunk to automatically configure the default timestamp field to the previous mentioned JSON key ?

Thanks

gfuente · ‎12-13-2013

Hello

then you need to use:

TIME_PREFIX=stats_time\s:\s
TIME_FORMAT=%s

Try it and let me know if it worked

View solution in original post

gfuente · ‎12-13-2013

Hello

then you need to use:

TIME_PREFIX=stats_time\s:\s
TIME_FORMAT=%s

Try it and let me know if it worked

gfuente · ‎12-13-2013

What field?

Try _time field instead

Or look at the timestamp located at the left side of the event in the flashtimeline view

klausJohan · ‎12-13-2013

Unfortunately I still see that the timestamp field gets filled with 'none' only .

klausJohan · ‎12-13-2013

Indexed events look like this:

{
name : "PA",
id : "5",
........
stats_time : 1386940477673,
........
type : "Port"
}

"stats_time" is the key that I'm interested in to be rolled into the timestamp default field.

gfuente · ‎12-13-2013

Please include a sample event

Configure Timestamp field

.conf23 Registration is Now Open!

Don't wait! Accept the Mission Possible: Splunk Adoption Challenge Now and Win ...

Unify Your SecOps with Splunk Mission Control