So I tried pattern as \d{18} for events looking like:
1351623403000225565 Type=VARIABLE, blah blah
1351623403000225568 Type=VARIABLE, blah blah
1351623403000225570 Type=VARIABLE, blah blah
when trying to add a data file from the manager, but splunk will not recognize this as a timestamp.
I've also tried ^\d, ^\d{18}.
With \d{18}, it generates a props.conf:
# your settings
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=false
TIME_FORMAT=%Y-%m-%d %H:%M:%S.%9N
TIME_PREFIX=\d{18}
TZ=America/Chicago
TIME_PREFIX is to indicate any static (or even variable) text which might appear before the time stamp that exists.
TIME_FORMAT indicates the format that the stamp takes. Your config, cited above, would skip 18 (or 19) digits, then look for a stamp like 2012-11-07 21:44:23.623560235. That's not what you've got. You'll want to capture the first 10 digits as an epoch time, followed by a nanosecond.
TIME_FORMAT=%s%9N
TIME_PREFIX=^
TIME_PREFIX is to indicate any static (or even variable) text which might appear before the time stamp that exists.
TIME_FORMAT indicates the format that the stamp takes. Your config, cited above, would skip 18 (or 19) digits, then look for a stamp like 2012-11-07 21:44:23.623560235. That's not what you've got. You'll want to capture the first 10 digits as an epoch time, followed by a nanosecond.
TIME_FORMAT=%s%9N
TIME_PREFIX=^
however what is the point in using a nanosecond timestamp for _time if I cant get the precision out of Splunk???
sourcetype=OrderGW-RJ | eval tm=_time | eval stm=strftime(_time, "%Y-%m-%d %H:%M:%S.%9N") | stats count by _time tm stm | head 1 | table _time tm stm
_time tm stm
10/30/12 1:56:43.000 PM 1351623403.000225 2012-10-30 13:56:43.000225000
That worked, thanks for the clarification.
should be {19}, but still not working...