Solved: index time and event log time is mismatching

RASHO · ‎02-27-2019

We are getting events from one of our application ,But the indexed time and event logged time is different ,Please let me know how to fix this timestamp issues and not getting milliseconds in time.

Event list below:

Time Event
2/27/19 { [-]
6:24:31.000 PM @timestamp: 2019-02-27T18:19:59.757Z

Props.conf

[XXXXXX]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=@timestamp":
TRUNCATE = 0

tiagofbmm · ‎02-27-2019

Here are what seem to be the settings you're looking for:

SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=(@timestamp)
TIME_FORMAT=%Y-%m-%dT%H:%M:%D.%3Q
MAX_TIMESTAMP_LOOKAHEAD=30

Let me know please

View solution in original post

tiagofbmm · ‎02-27-2019

Here are what seem to be the settings you're looking for:

SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=(@timestamp)
TIME_FORMAT=%Y-%m-%dT%H:%M:%D.%3Q
MAX_TIMESTAMP_LOOKAHEAD=30

Let me know please

index time and event log time is mismatching

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

index time and event log time is mismatching

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits