Splunk Search

Epoch time millisecond lenght longer than standard

suhprano
Path Finder

My epoch time in the events are this long:

1327695522762361

How can I get splunk to extract the time including the milliseconds with this length?

Tags (1)
1 Solution

hexx
Splunk Employee
Splunk Employee

I would suggest to apply the following time stamp extraction specification to your sourcetype or source in props.conf :

TIME_PREFIX = <regular expression matching the string that precedes your time stamp>
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 16

I encourage you to look up the definition and specs of these parameters in props.conf.spec.

Let me know how it goes!

View solution in original post

hexx
Splunk Employee
Splunk Employee

I would suggest to apply the following time stamp extraction specification to your sourcetype or source in props.conf :

TIME_PREFIX = <regular expression matching the string that precedes your time stamp>
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 16

I encourage you to look up the definition and specs of these parameters in props.conf.spec.

Let me know how it goes!

hexx
Splunk Employee
Splunk Employee

It depends on the type of forwarder. If it's a Universal/Lightweight forwarder, then these settings belong on the indexer. If it's a regular forwarder then these settings must exist on the forwarder. For more information, please read this wiki article.

suhprano
Path Finder

Can this go in the forwarder's props.conf?

0 Karma
Get Updates on the Splunk Community!

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...