Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to edit my props.conf to take timestamp from an updated field?

Shark2112
Communicator
‎11-07-2016 02:42 AM

Hey everyone.

I read all nearest posts about timestamp and still can't make it work.

So, i have events like this:

....................."2016-11-01T21:33:16.000+0300",splunk,splunk...............one, u'Baseline Effort': None, u'Labels': '', u'Updated': u'2016-11-02T20:17:13.000+0300', u'\u03a3 Progress_progress'................

I need take timestamp from Updated field

props.conf

[Jira]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description =
disabled = false
pulldown_type = true
TIME_PREFIX = Updated': u'
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2016 07:04 AM

Hi Shark2112,

probably the problem is that apostrophe it's a special character, so you have to use backslash () before it.

So you'll have TIME_PREFIX = Updated\'\:\su\' and MAX_TIMESTAMP_LOOKAHEAD=28
In addition, if you have a csv, you can set the timestamp field using TIMESTAMP_FIELDS=your_timestamp_field

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎11-07-2016 07:04 AM

Hi Shark2112,

probably the problem is that apostrophe it's a special character, so you have to use backslash () before it.

So you'll have TIME_PREFIX = Updated\'\:\su\' and MAX_TIMESTAMP_LOOKAHEAD=28
In addition, if you have a csv, you can set the timestamp field using TIMESTAMP_FIELDS=your_timestamp_field

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

Shark2112
Communicator
‎11-07-2016 07:31 AM

trouble was in apostrophes, thx alot

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎11-07-2016 05:18 AM

Your values of TIME_FORMAT and TIME_PREFIX seems to pick up the timestamp from example event you have provided here.

1) Can you please check whether MAX_TIMESTAMP_LOOKAHEAD is atleast 32 or more? You can increase this to very high number also just to see if at least one event is identified properly and also confirm that there is an issue with event break in that case.

2) Also look into your Event Breaks that all events are being identified properly. Otherwise individual events can become too large and identification of timestamp may become difficult.

If above two do not help can you provide at least two or more sample events after anonymizing from your logs, it would be possible to look further.

TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%z
TIME_PREFIX=Updated': u'
MAX_TIMESTAMP_LOOKAHEAD=32

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

Shark2112
Communicator
‎11-07-2016 07:32 AM

trouble was in apostrophes, thank you for help anyway!

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...