Dear Team,
Below is the raw log for your reference:
{"kind":"Event",*******************,***,"stageTimestamp":2023-05-16T11:25:19.603580Z}
I have created a props.conf with the respective sourcetype and below for your reference:
[kube:apiserver-audit]
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = true
TIME_PREFIX = stageTimestamp\"\:\"
TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%6N
SHOULD_LINEMERGE=false
MAX_TIMESTAMP_LOOKAHEAD=27
However, when I check in Splunk time stamp is not parsed correctly. Any help here would be much appreciated.
Br,
Prasad V
thanks @richgalloway . No luck.
Below is the raw event for your reference:
{"resource":"*****"},"responseStatus":{"metadata":{},"code":200},"requestReceivedTimestamp":"2023-05-16T11:25:19.602483Z","stageTimestamp":"2023-05-16T11:25:19.603580Z","annotations":{"authorization.k8s.io/decision":"allow","authorization.k8s.io/reason":"RBAC: allowed by RoleBinding \"""}}
The TIME_PREFIX and TIME_FORMAT settings do not match the example event. Try these settings
TIME_PREFIX = stageTimestamp":
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%Z