Solved: index time and event log time is mismatching

RASHO · ‎02-27-2019

We are getting events from one of our application ,But the indexed time and event logged time is different ,Please let me know how to fix this timestamp issues and not getting milliseconds in time.

Event list below:

Time Event
2/27/19 { [-]
6:24:31.000 PM @timestamp: 2019-02-27T18:19:59.757Z

Props.conf

[XXXXXX]
SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=@timestamp":
TRUNCATE = 0

tiagofbmm · ‎02-27-2019

Here are what seem to be the settings you're looking for:

SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=(@timestamp)
TIME_FORMAT=%Y-%m-%dT%H:%M:%D.%3Q
MAX_TIMESTAMP_LOOKAHEAD=30

Let me know please

View solution in original post

tiagofbmm · ‎02-27-2019

Here are what seem to be the settings you're looking for:

SHOULD_LINEMERGE=true
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
TIME_PREFIX=(@timestamp)
TIME_FORMAT=%Y-%m-%dT%H:%M:%D.%3Q
MAX_TIMESTAMP_LOOKAHEAD=30

Let me know please

index time and event log time is mismatching

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

index time and event log time is mismatching

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...