Splunk Search

regex for TIME_FORMAT in epoch milliseconds time

Mohsin123
Path Finder

Hey There !

I have this sort of entry in my event :
startedTime: 1528840802983

this is in epoch time
I was trying a regex for the TIME_FORMAT

TIME_PREFIX=\"startedTime\": \"
TIME_FORMAT= %s%3N

Could you pl correct me on the TIME_FORMAT

Tags (3)
0 Karma
1 Solution

lacastillo
Path Finder

As mayurr98 stated, I think your props.conf TIME_PREFIX parameter should look like this. Since you have 13 digits in your epoch time I'm guessing it goes out to milliseconds so your TIME_FORMAT may already be correct. Let us know if that works.

TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N

View solution in original post

0 Karma

lacastillo
Path Finder

As mayurr98 stated, I think your props.conf TIME_PREFIX parameter should look like this. Since you have 13 digits in your epoch time I'm guessing it goes out to milliseconds so your TIME_FORMAT may already be correct. Let us know if that works.

TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N

0 Karma

Mohsin123
Path Finder

no it dint work
this is my sample
No it dint work,

this is my sample
6/13/18
4:10:04.000 PM

{ [-]
cdate: Wed Jun 13 16:10:04 2018

finalStatus: SUCCEEDED

id: application_xxxxx

name: Export job (158882): xxxxxxxxxxxxxx
startedTime: 1528840802983

user: xxxx
}

0 Karma

lacastillo
Path Finder

Using your sample event I was able to ingest the data with the proper timestamp using the following props.conf

[test_sourcetype]
SHOULD_LINEMERGE = true
TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N
LINE_BREAKER = \}([\r\n]+)
BREAK_ONLY_BEFORE_DATE = false
MAX_TIMESTAMP_LOOKAHEAD = 300
TRUNCATE = 1000

Keep in mind that this was done with only a single event so your MAX_TIMESTAMP_LOOKAHEAD and TRUNCATE values may have to be adjusted as necessary. Please let me know if this helped.

0 Karma

lacastillo
Path Finder

Are you able to show us your current props.conf? Is it just the timestamp that you're having trouble with?

0 Karma

mayurr98
Super Champion

1528840802983 is in milliseconds? I think its in seconds then in that case TIME_FORMAT should be %s and TIME_PREFIX should be startedTime\:\s

0 Karma

Mohsin123
Path Finder

No it dint work,

this is my sample
6/13/18
4:10:04.000 PM

{ [-]
cdate: Wed Jun 13 16:10:04 2018

finalStatus: SUCCEEDED

id: application_xxxxx

name: Export job (158882): xxxxxxxxxxxxxx
startedTime: 1528840802983

user: xxxx
}

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...