Im onboarding sample logs from a txt file to my local Splunk instance were the time stamp is in a 10 digit format (epoch time format). During the onboarding im applying the following timestamp format strptime("timestamp","%m/%d/%y %H:%M:%S") "timestamp" being the field name in the raw sample in the txt document. But the timestamp is still defaulting to modtime. Any ideas?
TIME_FORMAT=%s is the proper way to configure a timestamp in epoch format. If your logs are formatted such that Splunk cannot clearly identify which 10-digit value represents a timestamp, you may need to provide more hints (recommended to be explicit anyways), like TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD etc.
If you are able to provide a sample log event, it will be easier to help with more details.
Example timestamp in raw logs: timestamp: 1617865161
TIME_PREFIX=timestamp:\s
TIME_FORMAT=%s
should extract the timestamp properly
Thanks, i have added the below to the advanced section under timestamp but its still defaulting back to modtime.
Please share one full event here for further help. You can anonymize data as needed, but please maintain the format of the event.
Anonymised raw sample:
{"hostname":"ip-xxx-xxx-xxx-xx.eu-west-1.compute.internal","query":"xxxxx.net.","response_code":"NXDOMAIN","size":"89","src_ip":"xx.xxx.xxx.xxx","timestamp":"1617865214"}
OK, it's JSON format, that's helpful to know....
[yourSourcetypeName]
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS = json
KV_MODE = none
TIMESTAMP_FIELDS = timestamp
TIME_FORMAT = %s
You may have to add other settings here depending on other requirements, like line breakers etc., but this should parse your epoch timestamp as expected.
strptime is parsing the timestamp field and expecting it to be in the given format, but you have already said it is a 10 digit number (not the format you are trying to parse with)