I read all nearest posts about timestamp and still can't make it work.
So, i have events like this:
....................."2016-11-01T21:33:16.000+0300",splunk,splunk...............one, u'Baseline Effort': None, u'Labels': '', u'Updated': u'2016-11-02T20:17:13.000+0300', u'\u03a3 Progress_progress'................
I need take timestamp from Updated field
[Jira] DATETIME_CONFIG = INDEXED_EXTRACTIONS = csv KV_MODE = none NO_BINARY_CHECK = true SHOULD_LINEMERGE = false category = Custom description = disabled = false pulldown_type = true TIME_PREFIX = Updated': u' TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
Your values of TIMEFORMAT and TIMEPREFIX seems to pick up the timestamp from example event you have provided here.
1) Can you please check whether MAXTIMESTAMPLOOKAHEAD is atleast 32 or more? You can increase this to very high number also just to see if at least one event is identified properly and also confirm that there is an issue with event break in that case.
2) Also look into your Event Breaks that all events are being identified properly. Otherwise individual events can become too large and identification of timestamp may become difficult.
If above two do not help can you provide at least two or more sample events after anonymizing from your logs, it would be possible to look further.
probably the problem is that apostrophe it's a special character, so you have to use backslash () before it.
So you'll have
TIME_PREFIX = Updated\'\:\su\' and
In addition, if you have a csv, you can set the timestamp field using