- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I get Splunk to recognise epoch time?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a static JSON file (240k lines) I would like to index. Here's a the format:
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.027000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.035000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.064000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.098000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.110000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.143000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.154000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.177000}
In the data preview mode Splunk is assigning the timestamp based on the last time the file was changed, not the timestamp variable of the event.
How can I get Splunk (using 6) to recognise the timestamp of the event?
i've tried playing with the ../props.conf file based on previous answers but have been unsuccessful so far.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be helpful if you post the format that you tried in props.conf.
It should be as follows:
TIME_FORMAT = %s.%6N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be helpful if you post the format that you tried in props.conf.
It should be as follows:
TIME_FORMAT = %s.%6N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! This is what I was originally trying, my mistake was not declaring:
TIME_PREFIX="timestamp":
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out props.conf docs and read the Timestamp extraction configuration section.
The likely answer is in this part:
TIME_FORMAT = <strptime-style format>
* Specifies a strptime format string to extract the date.
* strptime is an industry standard for designating time formats.
* For more information on strptime, see "Configure timestamp recognition" in
the online documentation.
* TIME_FORMAT starts reading after the TIME_PREFIX. If both are specified, the TIME_PREFIX
regex must match up to and including the character before the TIME_FORMAT date.
* For good results, the <strptime-style format> should describe the day of the year and the
time of day.
* Defaults to empty.
This references the Configure timestamp recognition docs which should help you tons, especially the Enhanced strptime() support part.
Jesse Trucks
Minister of Magic
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
Splunk APM: New Product Features + Community Office Hours Recap!
Index This | Forward, I’m heavy; backward, I’m not. What am I?
