Solved: index time and event log time is mismatching

RASHO · ‎02-27-2019

We are getting events from one of our application ,But the indexed time and event logged time is different ,Please let me know how to fix this timestamp issues and not getting milliseconds in time.

Event list below:

Time Event
2/27/19 { [-]
6:24:31.000 PM @timestamp: 2019-02-27T18:19:59.757Z

Props.conf

[XXXXXX]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=@timestamp":
TRUNCATE = 0

tiagofbmm · ‎02-27-2019

Here are what seem to be the settings you're looking for:

SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=(@timestamp)
TIME_FORMAT=%Y-%m-%dT%H:%M:%D.%3Q
MAX_TIMESTAMP_LOOKAHEAD=30

Let me know please

View solution in original post

tiagofbmm · ‎02-27-2019

Here are what seem to be the settings you're looking for:

SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=(@timestamp)
TIME_FORMAT=%Y-%m-%dT%H:%M:%D.%3Q
MAX_TIMESTAMP_LOOKAHEAD=30

Let me know please

index time and event log time is mismatching

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Join the Conversation