Solved: Re: Epoch time millisecond lenght longer than stan...

suhprano · ‎01-27-2012

My epoch time in the events are this long:

1327695522762361

How can I get splunk to extract the time including the milliseconds with this length?

hexx · ‎01-27-2012

I would suggest to apply the following time stamp extraction specification to your sourcetype or source in props.conf :

TIME_PREFIX = <regular expression matching the string that precedes your time stamp>
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 16

I encourage you to look up the definition and specs of these parameters in props.conf.spec.

Let me know how it goes!

View solution in original post

hexx · ‎01-27-2012

I would suggest to apply the following time stamp extraction specification to your sourcetype or source in props.conf :

TIME_PREFIX = <regular expression matching the string that precedes your time stamp>
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 16

I encourage you to look up the definition and specs of these parameters in props.conf.spec.

Let me know how it goes!

hexx · ‎01-27-2012

It depends on the type of forwarder. If it's a Universal/Lightweight forwarder, then these settings belong on the indexer. If it's a regular forwarder then these settings must exist on the forwarder. For more information, please read this wiki article.

suhprano · ‎01-27-2012

Can this go in the forwarder's props.conf?

Epoch time millisecond lenght longer than standard

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life