Splunk Search

Epoch time millisecond lenght longer than standard

suhprano
Path Finder

My epoch time in the events are this long:

1327695522762361

How can I get splunk to extract the time including the milliseconds with this length?

Tags (1)
1 Solution

hexx
Splunk Employee
Splunk Employee

I would suggest to apply the following time stamp extraction specification to your sourcetype or source in props.conf :

TIME_PREFIX = <regular expression matching the string that precedes your time stamp>
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 16

I encourage you to look up the definition and specs of these parameters in props.conf.spec.

Let me know how it goes!

View solution in original post

hexx
Splunk Employee
Splunk Employee

I would suggest to apply the following time stamp extraction specification to your sourcetype or source in props.conf :

TIME_PREFIX = <regular expression matching the string that precedes your time stamp>
TIME_FORMAT = %s%6N
MAX_TIMESTAMP_LOOKAHEAD = 16

I encourage you to look up the definition and specs of these parameters in props.conf.spec.

Let me know how it goes!

hexx
Splunk Employee
Splunk Employee

It depends on the type of forwarder. If it's a Universal/Lightweight forwarder, then these settings belong on the indexer. If it's a regular forwarder then these settings must exist on the forwarder. For more information, please read this wiki article.

suhprano
Path Finder

Can this go in the forwarder's props.conf?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...