Solved: Epoch time millisecond lenght longer than standard

suhprano · ‎01-27-2012

My epoch time in the events are this long:

1327695522762361

How can I get splunk to extract the time including the milliseconds with this length?

hexx · ‎01-27-2012

I would suggest to apply the following time stamp extraction specification to your sourcetype or source in props.conf :

TIME_PREFIX = <regular expression matching the string that precedes your time stamp>
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 16

I encourage you to look up the definition and specs of these parameters in props.conf.spec.

Let me know how it goes!

View solution in original post

hexx · ‎01-27-2012

I would suggest to apply the following time stamp extraction specification to your sourcetype or source in props.conf :

TIME_PREFIX = <regular expression matching the string that precedes your time stamp>
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 16

I encourage you to look up the definition and specs of these parameters in props.conf.spec.

Let me know how it goes!

hexx · ‎01-27-2012

It depends on the type of forwarder. If it's a Universal/Lightweight forwarder, then these settings belong on the indexer. If it's a regular forwarder then these settings must exist on the forwarder. For more information, please read this wiki article.

suhprano · ‎01-27-2012

Can this go in the forwarder's props.conf?

Epoch time millisecond lenght longer than standard

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

There's No Place Like Chrome and the Splunk Platform

Customer Experience | Join the Customer Advisory Board!