Splunk Search

regex for TIME_FORMAT in epoch milliseconds time

Mohsin123
Path Finder

Hey There !

I have this sort of entry in my event :
startedTime: 1528840802983

this is in epoch time
I was trying a regex for the TIME_FORMAT

TIME_PREFIX=\"startedTime\": \"
TIME_FORMAT= %s%3N

Could you pl correct me on the TIME_FORMAT

Tags (3)
0 Karma
1 Solution

lacastillo
Path Finder

As mayurr98 stated, I think your props.conf TIME_PREFIX parameter should look like this. Since you have 13 digits in your epoch time I'm guessing it goes out to milliseconds so your TIME_FORMAT may already be correct. Let us know if that works.

TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N

View solution in original post

0 Karma

lacastillo
Path Finder

As mayurr98 stated, I think your props.conf TIME_PREFIX parameter should look like this. Since you have 13 digits in your epoch time I'm guessing it goes out to milliseconds so your TIME_FORMAT may already be correct. Let us know if that works.

TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N

0 Karma

Mohsin123
Path Finder

no it dint work
this is my sample
No it dint work,

this is my sample
6/13/18
4:10:04.000 PM

{ [-]
cdate: Wed Jun 13 16:10:04 2018

finalStatus: SUCCEEDED

id: application_xxxxx

name: Export job (158882): xxxxxxxxxxxxxx
startedTime: 1528840802983

user: xxxx
}

0 Karma

lacastillo
Path Finder

Using your sample event I was able to ingest the data with the proper timestamp using the following props.conf

[test_sourcetype]
SHOULD_LINEMERGE = true
TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N
LINE_BREAKER = \}([\r\n]+)
BREAK_ONLY_BEFORE_DATE = false
MAX_TIMESTAMP_LOOKAHEAD = 300
TRUNCATE = 1000

Keep in mind that this was done with only a single event so your MAX_TIMESTAMP_LOOKAHEAD and TRUNCATE values may have to be adjusted as necessary. Please let me know if this helped.

0 Karma

lacastillo
Path Finder

Are you able to show us your current props.conf? Is it just the timestamp that you're having trouble with?

0 Karma

mayurr98
Super Champion

1528840802983 is in milliseconds? I think its in seconds then in that case TIME_FORMAT should be %s and TIME_PREFIX should be startedTime\:\s

0 Karma

Mohsin123
Path Finder

No it dint work,

this is my sample
6/13/18
4:10:04.000 PM

{ [-]
cdate: Wed Jun 13 16:10:04 2018

finalStatus: SUCCEEDED

id: application_xxxxx

name: Export job (158882): xxxxxxxxxxxxxx
startedTime: 1528840802983

user: xxxx
}

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...