Solved: Re: Epoch time millisecond lenght longer than stan...

suhprano · ‎01-27-2012

My epoch time in the events are this long:

1327695522762361

How can I get splunk to extract the time including the milliseconds with this length?

hexx · ‎01-27-2012

I would suggest to apply the following time stamp extraction specification to your sourcetype or source in props.conf :

TIME_PREFIX = <regular expression matching the string that precedes your time stamp>
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 16

I encourage you to look up the definition and specs of these parameters in props.conf.spec.

Let me know how it goes!

View solution in original post

hexx · ‎01-27-2012

I would suggest to apply the following time stamp extraction specification to your sourcetype or source in props.conf :

TIME_PREFIX = <regular expression matching the string that precedes your time stamp>
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 16

I encourage you to look up the definition and specs of these parameters in props.conf.spec.

Let me know how it goes!

hexx · ‎01-27-2012

It depends on the type of forwarder. If it's a Universal/Lightweight forwarder, then these settings belong on the indexer. If it's a regular forwarder then these settings must exist on the forwarder. For more information, please read this wiki article.

suhprano · ‎01-27-2012

Can this go in the forwarder's props.conf?

Epoch time millisecond lenght longer than standard

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...