Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

ISO 8601 TimeStamp Extraction / Formatting and Source Type Config

DGilbert91
Explorer
‎10-26-2022 03:44 PM

Hi all,

I have a timestamp in a format I havn't dealt with before and I am struggling to get it converted to my timezone using the offset. In raw event form it is like this:
"TimeGenerated": "2022-10-25T04:21:50.2975103Z"

I have also attached a screenshot of how splunk is indexing it.

My second question is how would I configure the sourcetype to have splunk use TimeGenerated field as _time automatically? I've attached a second screenshot with the sourcetype as well.

DGilbert91_0-1666824153338.png

 

Any help or links would be greatly appreciated!

Labels (1)
Labels
Preview file
72 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

johnhuang
Motivator
‎10-26-2022 08:10 PM

Try the following settings:

 

TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
TIME_PREFIX = "TimeGenerated":\s"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

johnhuang
Motivator
‎10-26-2022 08:10 PM

Try the following settings:

 

TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%Z
TIME_PREFIX = "TimeGenerated":\s"

0 Karma
Reply
Solved! Jump to solution

DGilbert91
Explorer
‎10-26-2022 08:29 PM

hey johnhuang,

I have attempted your suggestion and ingested some more data:

DGilbert91_0-1666841246381.png

 

Unfortunately it doesn't look like it has updated _time correctly:

DGilbert91_1-1666841276825.png

 

Would these settings have any impact as well?

DGilbert91_2-1666841353094.png

 

 

Appreciate your help, thanks mate

0 Karma
Reply
Solved! Jump to solution

johnhuang
Motivator
‎10-26-2022 09:11 PM

If the data is being processed by a heavy forwarder, make sure this is applied there.

0 Karma
Reply
Solved! Jump to solution

DGilbert91
Explorer
‎11-15-2022 09:33 PM

This worked perfectly thanks mate!

Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...