How to write in props.conf so that the _time field...

gitingua · ‎04-22-2022

Hello colleagues, I would like to know

I have events where there is a unixTime field. But the _time field does not show correctly

how can I write in props.conf so that the _time field takes time from the unixTime field

gcusello · ‎04-22-2022

Hi @gitingua,

it's possible to set a props.conf to correctly read a unixtime as timestamp.

If you could share some sample of your logs, we could help you.

Ciao.

Giuseppe

gitingua · ‎04-22-2022

@gcuselloHi!

as you can see, my _time field is ahead of the unixTime field. And I would need the _time field to be the same as unixTime

i want to change my sourcetype in props.conf so that _time takes time from unixTime field

isoutamo · ‎04-22-2022

Hi

can you add some raw data inside </> block?

Some resources to use when you are onboarding data:

Basically you should configure props.conf so, that it take correct field/place from event and recognise timestamps correct. See those TIME_* and MAX_TIMESTAMP* for found correct place. Also LINE_BREAKER needs time by time some changes.

r. Ismo

How to write in props.conf so that the _time field takes time from the unixTime field?

field extraction

HTTP Event Collector

JSON

modular input

other

props.conf

scripted input

whitelist

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!