Getting Data In
Highlighted

How to edit my props.conf to take timestamp from an updated field?

Communicator

Hey everyone.

I read all nearest posts about timestamp and still can't make it work.

So, i have events like this:

....................."2016-11-01T21:33:16.000+0300",splunk,splunk...............one, u'Baseline Effort': None, u'Labels': '', u'Updated': u'2016-11-02T20:17:13.000+0300', u'\u03a3 Progress_progress'................

I need take timestamp from Updated field

props.conf

[Jira]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description =
disabled = false
pulldown_type = true
TIME_PREFIX = Updated': u'
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
0 Karma
Highlighted

Re: How to edit my props.conf to take timestamp from an updated field?

Legend

Your values of TIMEFORMAT and TIMEPREFIX seems to pick up the timestamp from example event you have provided here.

1) Can you please check whether MAXTIMESTAMPLOOKAHEAD is atleast 32 or more? You can increase this to very high number also just to see if at least one event is identified properly and also confirm that there is an issue with event break in that case.

2) Also look into your Event Breaks that all events are being identified properly. Otherwise individual events can become too large and identification of timestamp may become difficult.

If above two do not help can you provide at least two or more sample events after anonymizing from your logs, it would be possible to look further.

TIMEFORMAT=%Y-%m-%dT%H:%M:%S.%3N%z
TIME
PREFIX=Updated': u'
MAXTIMESTAMPLOOKAHEAD=32




| eval message="Happy Splunking!!!"


0 Karma
Highlighted

Re: How to edit my props.conf to take timestamp from an updated field?

Communicator

trouble was in apostrophes, thank you for help anyway!

0 Karma
Highlighted

Re: How to edit my props.conf to take timestamp from an updated field?

Legend

Hi Shark2112,

probably the problem is that apostrophe it's a special character, so you have to use backslash () before it.

So you'll have TIME_PREFIX = Updated\'\:\su\' and MAX_TIMESTAMP_LOOKAHEAD=28
In addition, if you have a csv, you can set the timestamp field using TIMESTAMP_FIELDS=your_timestamp_field

Bye.
Giuseppe

View solution in original post

0 Karma
Highlighted

Re: How to edit my props.conf to take timestamp from an updated field?

Communicator

trouble was in apostrophes, thx alot

0 Karma