Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why am I unable to correct the timestamp with microseconds?

vprasadeee_7
Explorer
‎05-17-2023 03:16 AM

Dear Team,

Below is the raw log for your reference:


{"kind":"Event",*******************,***,"stageTimestamp":2023-05-16T11:25:19.603580Z}

I have created a props.conf with the respective sourcetype and below for your reference:
[kube:apiserver-audit]
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_PREFIX = stageTimestamp\"\:\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%6N
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=27

However, when I check in Splunk time stamp is not parsed correctly. Any help here would be much appreciated.

 

Br,
Prasad V

Labels (1)
Labels
Tags (1)
0 Karma
Reply

vprasadeee_7
Explorer
‎05-19-2023 02:00 AM

thanks @richgalloway . No luck.

Below is the raw event for your reference:

{"resource":"*****"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-05-16T11:25:19.602483Z","stageTimestamp":"2023-05-16T11:25:19.603580Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"""}}

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-17-2023 08:53 AM

The TIME_PREFIX and TIME_FORMAT settings do not match the example event.  Try these settings

TIME_PREFIX = stageTimestamp":
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z

 

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...