Why am I unable to correct the timestamp with micr...

vprasadeee_7 · ‎05-17-2023

Dear Team,

Below is the raw log for your reference:

{"kind":"Event",*******************,***,"stageTimestamp":2023-05-16T11:25:19.603580Z}

I have created a props.conf with the respective sourcetype and below for your reference:
[kube:apiserver-audit]
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_PREFIX = stageTimestamp\"\:\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%6N
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=27

However, when I check in Splunk time stamp is not parsed correctly. Any help here would be much appreciated.

Br,
Prasad V

vprasadeee_7 · ‎05-19-2023

thanks @richgalloway . No luck.

Below is the raw event for your reference:

{"resource":"*****"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-05-16T11:25:19.602483Z","stageTimestamp":"2023-05-16T11:25:19.603580Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"""}}

richgalloway · ‎05-17-2023

The TIME_PREFIX and TIME_FORMAT settings do not match the example event. Try these settings

TIME_PREFIX = stageTimestamp":
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z

---
If this reply helps you, Karma would be appreciated.

Why am I unable to correct the timestamp with microseconds?

configuration

Streamline Data Ingestion With Deployment Server Essentials

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

Introduction to Splunk AI