Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do you convert time in EPOCH Scientific Notation for Props.conf TIME_FORMAT on a universal forwarder?

dsbruce
Explorer
‎10-18-2018 02:48 PM

We have a sevone network monitoring a JSON data time field formatted as EPOCH in Scientific Notation format. All the examples do not show how to take into account for Scientific Notation. Any assistance would be appreciated. time=1.539895001846788E9

We currently have this setup for DATETIME_CONFIG=CURRENT but then all the events are off and it looks like they are being batch loaded every 4 hours in the search time line.

raw data in filesystem log file. Using inputs.conf with props.conf on the UF on the syslog servers:

{"deviceId":2911,"deviceName":"SS-L1-AGNEW-2","deviceIp":"10.10.14.68","peerId":5,"objectId":227468,"objectName":"Ethernet1/30","objectDesc":"Ethernet1/30","pluginId":1,"pluginName":"SNMP Poller","indicatorId":1420925,"indicatorName":"s1_TotalErrors","format":0,"value":"0.0","**time**":**_1.539895001846788E9_**,"clusterName":"NMS","peerIp":"10.10.30.46"}

I have in props.conf TIME_PREFIX=\"time\": , but I have not found any entry for TIME_FORMAT that works.

If this will not work for PROPS, any suggestions on how to get the correct time for indexing would be appreciated.

TY

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...