Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

regex for TIME_FORMAT in epoch milliseconds time

Mohsin123
Path Finder
‎06-13-2018 06:46 AM

Hey There !

I have this sort of entry in my event :
startedTime: 1528840802983

this is in epoch time
I was trying a regex for the TIME_FORMAT

TIME_PREFIX=\"startedTime\": \"
TIME_FORMAT= %s%3N

Could you pl correct me on the TIME_FORMAT

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lacastillo
Path Finder
‎06-13-2018 06:59 AM

As mayurr98 stated, I think your props.conf TIME_PREFIX parameter should look like this. Since you have 13 digits in your epoch time I'm guessing it goes out to milliseconds so your TIME_FORMAT may already be correct. Let us know if that works.

TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

lacastillo
Path Finder
‎06-13-2018 06:59 AM

As mayurr98 stated, I think your props.conf TIME_PREFIX parameter should look like this. Since you have 13 digits in your epoch time I'm guessing it goes out to milliseconds so your TIME_FORMAT may already be correct. Let us know if that works.

TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N

0 Karma
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎06-13-2018 07:11 AM

no it dint work
this is my sample
No it dint work,

this is my sample
6/13/18
4:10:04.000 PM

{ [-]
cdate: Wed Jun 13 16:10:04 2018

finalStatus: SUCCEEDED

id: application_xxxxx

name: Export job (158882): xxxxxxxxxxxxxx
startedTime: 1528840802983

user: xxxx
}

0 Karma
Reply
Solved! Jump to solution

lacastillo
Path Finder
‎06-13-2018 08:12 AM

Using your sample event I was able to ingest the data with the proper timestamp using the following props.conf

[test_sourcetype]
SHOULD_LINEMERGE = true
TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N
LINE_BREAKER = \}([\r\n]+)
BREAK_ONLY_BEFORE_DATE = false
MAX_TIMESTAMP_LOOKAHEAD = 300
TRUNCATE = 1000

Keep in mind that this was done with only a single event so your MAX_TIMESTAMP_LOOKAHEAD and TRUNCATE values may have to be adjusted as necessary. Please let me know if this helped.

0 Karma
Reply
Solved! Jump to solution

lacastillo
Path Finder
‎06-13-2018 07:16 AM

Are you able to show us your current props.conf? Is it just the timestamp that you're having trouble with?

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎06-13-2018 06:56 AM

1528840802983 is in milliseconds? I think its in seconds then in that case TIME_FORMAT should be %s and TIME_PREFIX should be startedTime\:\s

0 Karma
Reply
Solved! Jump to solution

Mohsin123
Path Finder
‎06-13-2018 07:11 AM

No it dint work,

this is my sample
6/13/18
4:10:04.000 PM

{ [-]
cdate: Wed Jun 13 16:10:04 2018

finalStatus: SUCCEEDED

id: application_xxxxx

name: Export job (158882): xxxxxxxxxxxxxx
startedTime: 1528840802983

user: xxxx
}

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...