Splunk Search

Time-Date recognize Unix Epoch Time milliseconds

ryastrebov
Communicator

Hello!
I have log contains time-date in Unix Epoch format (milliseconds).
One event fragments is:

04,013c5f8ecc0f,013c5f8ecd04,0038af,...

Desired date is contained in column 3 (013c5f8ecd04).

During indexing process Splunk some date perceive correctly, and some not. This values (013c5f8ecd04) Splunk understand as 11/28/11 10:53:54.000 PM. It is incorrect.

Necessary to date indexing perceived correctly.
How can this be done?

Best regards,
Roman

Tags (1)
0 Karma

ryastrebov
Communicator

Thanks for the warning! I do not know really how to correctly extract the information about the date and time from the field... Because in most cases the date is retrieved correctly.

0 Karma

sideview
SplunkTrust
SplunkTrust

beware when you do get it working correctly, your date_hour fields and all your date_* fields will be calculated as though you had set the timezone explicitly to GMT, which effectively means all your date_hour values will be off by whatever your timezone offset is, and all your other date_* fields will be slightly unreliable too. This has bitten me in the past.

0 Karma

yannK
Splunk Employee
Splunk Employee

Define a timeprefix and timeformat extraction in props.conf for this sourcetype
To verify use the data preview.

ryastrebov
Communicator

Unlikely because in this file same part of the dates correctly perceived

0 Karma

eashwar
Communicator

i hope it is because of the TIME ZONE configured incorrectly.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...