Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Epoch Time

hmrabet2
Observer
‎04-29-2021 06:44 AM

Im onboarding sample logs from a txt file to my local Splunk instance were the time stamp is in a 10 digit format (epoch time format). During the onboarding im applying the following timestamp format  strptime("timestamp","%m/%d/%y %H:%M:%S") "timestamp" being the field name in the raw sample in the txt document.  But the timestamp is still defaulting to modtime. Any ideas? 

 

Labels (1)
Labels
0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎04-29-2021 12:36 PM

TIME_FORMAT=%s is the proper way to configure a timestamp in epoch format. If your logs are formatted such that Splunk cannot clearly identify which 10-digit value represents a timestamp, you may need to provide more hints (recommended to be explicit anyways), like TIME_PREFIX, MAX_TIMESTAMP_LOOKAHEAD etc.

If you are able to provide a sample log event, it will be easier to help with more details.

0 Karma
Reply

hmrabet2
Observer
‎04-30-2021 02:14 AM

Example timestamp in raw logs:        timestamp1617865161

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎04-30-2021 09:40 AM 
TIME_PREFIX=timestamp:\s
TIME_FORMAT=%s

should extract the timestamp properly

0 Karma
Reply

hmrabet2
Observer
‎04-30-2021 09:50 AM

Thanks, i have added the below to the advanced  section under timestamp but its still defaulting back to modtime. 

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎04-30-2021 10:09 AM

Please share one full event here for further help. You can anonymize data as needed, but please maintain the format of the event.

0 Karma
Reply

hmrabet2
Observer
‎05-04-2021 01:30 AM

Anonymised raw sample: 

{"hostname":"ip-xxx-xxx-xxx-xx.eu-west-1.compute.internal","query":"xxxxx.net.","response_code":"NXDOMAIN","size":"89","src_ip":"xx.xxx.xxx.xxx","timestamp":"1617865214"}

0 Karma
Reply

s2_splunk
Splunk Employee
Splunk Employee
‎05-04-2021 08:55 AM

OK, it's JSON format, that's helpful to know....

[yourSourcetypeName]
SHOULD_LINEMERGE=false
INDEXED_EXTRACTIONS = json
KV_MODE = none
TIMESTAMP_FIELDS = timestamp
TIME_FORMAT = %s

 You may have to add other settings here depending on other requirements, like line breakers etc., but this should parse your epoch timestamp as expected.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎04-29-2021 07:40 AM

strptime is parsing the timestamp field and expecting it to be in the given format, but you have already said it is a 10 digit number (not the format you are trying to parse with)

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...