I have json data coming in that contains a 13 digit epoch value in eventTime, but %s appears to only support 10 digits (https://docs.splunk.com/Documentation/Splunk/8.2.8/Data/Configuretimestamprecognition?ref=hk)
What i'm trying to do is create a source type that will set _time to the value in eventTime when consumed, but struggling to solve it.
I did try setting TIMESTAMP_FIELDS to eventTime and then TIME_FORMAT to %s, but that did not work.
But, I also manually added a 10 digit epoch and it still did not work, so maybe i'm just chasing the wrong idea.
I also tried 'AUTO' but it did not find it.
Looking to learn! Thank you!
Want to note that I also found this:
https://community.splunk.com/t5/Getting-Data-In/How-to-assign-custom-JSON-field-with-epoch-time-as-t...
And my raw json looks like:
"eventTime": 1691354089743,
So I also tried
TIMESTAMP_FIELDS: eventTime
TIME_FORMAT: %s%3N
TIMESTAMP_PREFIX: \"eventTime\":
KV_MODE: json
But still getting the orange exclamation mark.
Hi @loganramirez,
please try using the default for json and my TIME_FORMAT:
[your_sourcetype]
TIME_FORMAT: %s%3N
TIMESTAMP_PREFIX: \"eventTime\":
KV_MODE: none
INDEXED_EXTRACTIONS = json
Ciao.
Giuseppe
well, heck, I believe this worked! Thank you!