I am trying to create props.conf for a log file which has entries like below,
{"timestamp":1429805010594,"message":"Deployment with pending data read by user 'tempaccount'","eventId":1041,"metadata":{}}
{"timestamp":1429805597016,"message":"Deployment Archive for Service with ID 'instance-2' read by 'tempaccount","eventId":1040,"metadata":{}}
I am not able to figure out the timeformat use there, i tried using TIME_FORMAT = %s but that is not working. My customer told me that the data is in json format if that helps anyway.
Any ideas?
TIME_FORMAT = %s%3N
TIME_PREFIX = {"timestamp":
#MAX_TIMESTAMP_LOOKAHEAD = 0
You have 13 digit epoch time, you must account for the higher precision.
As per doc %s represents a 10 digit epoch timestamp.
TIME_PREFIX is also required because the timestamp is not 10 digits...so this will confirm for Splunk that it's got the right one.
MAX_TIMESTAMP_LOOKAHEAD overrides the default of 127 but it worked for me without it... depends on the rest of the events and you've only provided two.
TIME_FORMAT = %s%3N
TIME_PREFIX = {"timestamp":
#MAX_TIMESTAMP_LOOKAHEAD = 0
You have 13 digit epoch time, you must account for the higher precision.
As per doc %s represents a 10 digit epoch timestamp.
TIME_PREFIX is also required because the timestamp is not 10 digits...so this will confirm for Splunk that it's got the right one.
MAX_TIMESTAMP_LOOKAHEAD overrides the default of 127 but it worked for me without it... depends on the rest of the events and you've only provided two.
Thats simply awesome...... Thanks a ton.
my pleasure. Sometimes it's just another pair of eyeballs. 🙂