Re: epoch time stamps not being indexed

smudge797 · ‎05-15-2014

Im having trouble ingesting these logs with the following format:

{"order":{"custom..........ntType":1,"timestamp":1400083389834}

i.e.
START:
{"order":{
END:
"timestamp":}

Splunk is having issues with the content of the event and the time stamp. Any help much appreciated!

somesoni2 · ‎05-15-2014

Try these in your props.conf

[Yoursourcetype]
BREAK_ONLY_BEFORE=\{\"order\"
NO_BINARY_CHECK=1
SHOULD_LINEMERGE=true
TIME_PREFIX=\"timestamp\":

somesoni2 · ‎05-15-2014

MAX_TIMESTAMP_LOOKAHEAD is property to indicate how long the timestamp field/value can be. E.g. in your example its 13 (no of digits in epoch time). If there are milliseconds there could be decimal point and 3 more digits. So it would be good idea to set this property to avoid capturing extra values. But since your timestamp is the last field in your event, it may not be necessary.

smudge797 · ‎05-15-2014

There can be around 3000 characters in each event and each time stamp is at the end?

richgalloway · ‎05-15-2014

Depending on the size of your log entries, you may also want to add MAX_TIMESTAMP_LOOKAHEAD to your props.conf file.

---
If this reply helps you, Karma would be appreciated.

epoch time stamps not being indexed

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

Analytics Workspace deprecation

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Join the Conversation