I'm having difficulty extracting an Epoch timestamp in the following format - 1361463359598
I can validate that this is a true Epoch time using many programs online. In my props.conf I have %s set which is supposed to give me the correct time of Thu, 21 Feb 2013 16:15:59 GMT.
However, splunkd.log keeps telling me this timestamp is invalid -
DateParserVerbose - The TIME_FORMAT specified is matching timestamps (Mon Jan 18 19:14:07 2038) outside of the acceptable time window.
Why is this happening and how can I tell Splunk to give me the correct timestamps?
Your timestamp is expressed in milliseconds since the epoch, not seconds. This is why the %s
TIME_FORMAT is not appropriate. Instead, use:
TIME_FORMAT = %s%3N
Your timestamp is expressed in milliseconds since the epoch, not seconds. This is why the %s
TIME_FORMAT is not appropriate. Instead, use:
TIME_FORMAT = %s%3N