Splunk Search

ISO 8601 TimeStamp Extraction / Formatting and Source Type Config

DGilbert91
Explorer

Hi all,

I have a timestamp in a format I havn't dealt with before and I am struggling to get it converted to my timezone using the offset. In raw event form it is like this:
"TimeGenerated": "2022-10-25T04:21:50.2975103Z"

I have also attached a screenshot of how splunk is indexing it.

My second question is how would I configure the sourcetype to have splunk use TimeGenerated field as _time automatically? I've attached a second screenshot with the sourcetype as well.

DGilbert91_0-1666824153338.png

 

Any help or links would be greatly appreciated!

Labels (1)
0 Karma
1 Solution

johnhuang
Motivator

Try the following settings:

 

TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
TIME_PREFIX = "TimeGenerated":\s"

View solution in original post

0 Karma

johnhuang
Motivator

Try the following settings:

 

TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
TIME_PREFIX = "TimeGenerated":\s"

0 Karma

DGilbert91
Explorer

hey johnhuang,

I have attempted your suggestion and ingested some more data:

DGilbert91_0-1666841246381.png

 

Unfortunately it doesn't look like it has updated _time correctly:

DGilbert91_1-1666841276825.png

 

Would these settings have any impact as well?

DGilbert91_2-1666841353094.png

 

 

Appreciate your help, thanks mate

0 Karma

johnhuang
Motivator

If the data is being processed by a heavy forwarder, make sure this is applied there.

0 Karma

DGilbert91
Explorer

This worked perfectly thanks mate!

Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...