Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Setting the time-stamp recognition

fridays
Explorer
‎08-24-2017 10:52 PM

We have"event": 1503162120.971 event=login fI="2017-05-31 23:21:22.000"... u_wl=25 uid=6da2479a-2b79-3c7a-8450-30c2d4592ea2 - He did not recognize the first field as 1503162120.971 as the _time event, but the line 2017-05-31 23: 21: 22.000 And the problem is observed exactly in the lines where here 2017-05-31 23: 21: 22.000 at the end. If it was 2017-05-31 23: 21: 22.100 then it works right. Because of this, a lot of events left for us in the wrong _time. How to wipe the definition of Timestamp on the first parameter (sequence of numbers before the space) How to make the current data already loaded into the spline become normal?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ColinCH
Path Finder
‎08-25-2017 12:01 AM

You can add on the Indexing-Server following line to props.conf

[sourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 15

Then Splunk parse only the first 15 characters for the timestamp. Splunk should known the unix-timestamp already.

http://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Propsconf#Timestamp_extraction_configuration

For Events that already in in Splunk you can change it at search time with something like that:

| rex "(?yourregularexpresson)" | eval _time = yourtimefield(order_date,"%s")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

fridays
Explorer
‎08-25-2017 04:52 AM

It work's. Thank you.

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-25-2017 12:41 AM

Hi fridays,
did you tried to put in your props.conf

[your_sourcetype]
SHOULD_LINEMERGE=false
NO_BINARY_CHECK=true
TIME_PREFIX=^
MAX_TIMESTAMP_LOOKAHEAD=15

Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

ColinCH
Path Finder
‎08-25-2017 12:01 AM

You can add on the Indexing-Server following line to props.conf

[sourcetype]
MAX_TIMESTAMP_LOOKAHEAD = 15

Then Splunk parse only the first 15 characters for the timestamp. Splunk should known the unix-timestamp already.

http://docs.splunk.com/Documentation/Splunk/6.6.2/Admin/Propsconf#Timestamp_extraction_configuration

For Events that already in in Splunk you can change it at search time with something like that:

| rex "(?yourregularexpresson)" | eval _time = yourtimefield(order_date,"%s")

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...