Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Epoch Time - Time Stamp Assignment with Millisecs seperate in JSON

jimdiconectiv
Path Finder
‎11-18-2021 11:11 AM

I have some passive dns data that has time stamps that look like this in JSON logs:

{"timestamp":"2021-10-21 16:31:01","timestamp_s":1634833861,"timestamp_ms":973448, 

So it has first conventional time stamp and then a full seconds based Unix Epoch Time Stamp in seconds followed by:

timestamp_ms":990877

This has the millsecs of the time only (actually microseconds).  The more convention time would have been:

timestamp_s":1634834347.990877 

I have not been able to get the time to include the millisec value included so far.  I am using a TIME_PREFIX that should skip the conventional timestamp.   Most recently, I used SEDCMD to get the time stamp to look more normal for epoch time --- timestamp_s":1634834347.990877,  but maybe the SEDCMD only happens after the time stamp is determined.

I have used similar to for this.

TIME_PREFIX=timestamp_s":
TIME_FORMAT= %s.%6N

Any help appreciated ! 

 

 

 

Labels (2)
Labels
0 Karma
Reply

johnhuang
Motivator
‎12-02-2021 02:26 PM

TIME_PREFIX = timestamp_s\x22:
TIME_FORMAT = %s,\"timestamp_ms\":%6N

0 Karma
Reply

Siddharth
Path Finder
‎12-01-2021 01:40 PM

Hi jimmy ,

So i think just index the data using first time stamp in temp index then write a spl to extract this info and push the new data inside your desired index .

you can also set retention time 2-3 weeks in temp index

Reply

jimdiconectiv
Path Finder
‎12-02-2021 09:09 AM

Thanks for the thought.  A possible solution.  I'll update.  

I had hoped I could just get strptime to skip around the stuff between the secs part of the epoch time and the ms part, TIME_FORMAT = %s,\"timestamp_ms\":%6N,  but that did not work -- You can put slashes colon and other punctuation in there but I guess no strings. 

I also tried fixing the time stamp to a pure seconds and ms part doing a rewrite with SEDCMD, that worked to re-write the record,  but did not fix the time stamp which is determined before. 

0 Karma
Reply

jimdiconectiv
Path Finder
‎12-01-2021 12:13 PM

I don't think I have previously had a post up for this long and gotten no answers.   PLEASE ! 

0 Karma
Reply

jimdiconectiv
Path Finder
‎11-29-2021 11:22 AM

Please help !   I normall get help after posting.  This is an important issue for us. 

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...