Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create source type for 13 digit epoch?

loganramirez
Path Finder
‎08-07-2023 08:40 AM

I have json data coming in that contains a 13 digit epoch value in eventTime, but %s appears to only support 10 digits (https://docs.splunk.com/Documentation/Splunk/8.2.8/Data/Configuretimestamprecognition?ref=hk)

What i'm trying to do is create a source type that will set _time to the value in eventTime when consumed, but struggling to solve it.

I did try setting TIMESTAMP_FIELDS to eventTime and then TIME_FORMAT to %s, but that did not work.

But, I also manually added a 10 digit epoch and it still did not work, so maybe i'm just chasing the wrong idea.

I also tried 'AUTO' but it did not find it.

Looking to learn!  Thank you!

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2023 08:47 AM

Hi @loganramirez,

please, use this TIME_FORMAT:

TIME_FORMAT = %s%3N

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

loganramirez
Path Finder
‎08-07-2023 08:50 AM

Want to note that I also found this:
https://community.splunk.com/t5/Getting-Data-In/How-to-assign-custom-JSON-field-with-epoch-time-as-t...


And my raw json looks like:
"eventTime": 1691354089743,

So I also tried

TIMESTAMP_FIELDS: eventTime
TIME_FORMAT: %s%3N
TIMESTAMP_PREFIX: \"eventTime\":
KV_MODE: json

But still getting the orange exclamation mark.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2023 08:54 AM

Hi @loganramirez,

please try using the default for json and my TIME_FORMAT:

[your_sourcetype]
TIME_FORMAT: %s%3N
TIMESTAMP_PREFIX: \"eventTime\":
KV_MODE: none
INDEXED_EXTRACTIONS = json

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2023 08:47 AM

Hi @loganramirez,

please, use this TIME_FORMAT:

TIME_FORMAT = %s%3N

Ciao.

Giuseppe

Reply
Solved! Jump to solution

loganramirez
Path Finder
‎08-07-2023 08:54 AM

well, heck, I believe this worked!  Thank you!

 

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...