- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do I get Splunk to recognise epoch time?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a static JSON file (240k lines) I would like to index. Here's a the format:
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.027000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.035000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.064000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.098000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.110000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.143000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.154000}
{"name":"fuel_level","value":88.260948,"timestamp":1362061287.177000}
In the data preview mode Splunk is assigning the timestamp based on the last time the file was changed, not the timestamp variable of the event.
How can I get Splunk (using 6) to recognise the timestamp of the event?
i've tried playing with the ../props.conf file based on previous answers but have been unsuccessful so far.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be helpful if you post the format that you tried in props.conf.
It should be as follows:
TIME_FORMAT = %s.%6N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It would be helpful if you post the format that you tried in props.conf.
It should be as follows:
TIME_FORMAT = %s.%6N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks! This is what I was originally trying, my mistake was not declaring:
TIME_PREFIX="timestamp":
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out props.conf docs and read the Timestamp extraction configuration section.
The likely answer is in this part:
TIME_FORMAT = <strptime-style format>
* Specifies a strptime format string to extract the date.
* strptime is an industry standard for designating time formats.
* For more information on strptime, see "Configure timestamp recognition" in
the online documentation.
* TIME_FORMAT starts reading after the TIME_PREFIX. If both are specified, the TIME_PREFIX
regex must match up to and including the character before the TIME_FORMAT date.
* For good results, the <strptime-style format> should describe the day of the year and the
time of day.
* Defaults to empty.
This references the Configure timestamp recognition docs which should help you tons, especially the Enhanced strptime() support part.
Jesse Trucks
Minister of Magic
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
