Hey There !
I have this sort of entry in my event :
startedTime: 1528840802983
this is in epoch time
I was trying a regex for the TIME_FORMAT
TIME_PREFIX=\"startedTime\": \"
TIME_FORMAT= %s%3N
Could you pl correct me on the TIME_FORMAT
As mayurr98 stated, I think your props.conf TIME_PREFIX parameter should look like this. Since you have 13 digits in your epoch time I'm guessing it goes out to milliseconds so your TIME_FORMAT may already be correct. Let us know if that works.
TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N
As mayurr98 stated, I think your props.conf TIME_PREFIX parameter should look like this. Since you have 13 digits in your epoch time I'm guessing it goes out to milliseconds so your TIME_FORMAT may already be correct. Let us know if that works.
TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N
no it dint work
this is my sample
No it dint work,
this is my sample
6/13/18
4:10:04.000 PM
{ [-]
cdate: Wed Jun 13 16:10:04 2018
finalStatus: SUCCEEDED
id: application_xxxxx
name: Export job (158882): xxxxxxxxxxxxxx
startedTime: 1528840802983
user: xxxx
}
Using your sample event I was able to ingest the data with the proper timestamp using the following props.conf
[test_sourcetype]
SHOULD_LINEMERGE = true
TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N
LINE_BREAKER = \}([\r\n]+)
BREAK_ONLY_BEFORE_DATE = false
MAX_TIMESTAMP_LOOKAHEAD = 300
TRUNCATE = 1000
Keep in mind that this was done with only a single event so your MAX_TIMESTAMP_LOOKAHEAD and TRUNCATE values may have to be adjusted as necessary. Please let me know if this helped.
Are you able to show us your current props.conf? Is it just the timestamp that you're having trouble with?
1528840802983
is in milliseconds? I think its in seconds then in that case TIME_FORMAT
should be %s
and TIME_PREFIX
should be startedTime\:\s
No it dint work,
this is my sample
6/13/18
4:10:04.000 PM
{ [-]
cdate: Wed Jun 13 16:10:04 2018
finalStatus: SUCCEEDED
id: application_xxxxx
name: Export job (158882): xxxxxxxxxxxxxx
startedTime: 1528840802983
user: xxxx
}