Splunk Enterprise

Why am I unable to correct the timestamp with microseconds?

vprasadeee_7
Explorer

Dear Team,

Below is the raw log for your reference:


{"kind":"Event",*******************,***,"stageTimestamp":2023-05-16T11:25:19.603580Z}

I have created a props.conf with the respective sourcetype and below for your reference:
[kube:apiserver-audit]
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_PREFIX = stageTimestamp\"\:\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%6N
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=27

However, when I check in Splunk time stamp is not parsed correctly. Any help here would be much appreciated.

 

Br,
Prasad V

Labels (1)
Tags (1)
0 Karma

vprasadeee_7
Explorer

thanks @richgalloway . No luck.

Below is the raw event for your reference:

{"resource":"*****"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-05-16T11:25:19.602483Z","stageTimestamp":"2023-05-16T11:25:19.603580Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"""}}

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The TIME_PREFIX and TIME_FORMAT settings do not match the example event.  Try these settings

TIME_PREFIX = stageTimestamp":
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z

 

---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...