Re: edit props file _time

gitingua · ‎04-22-2022

Hello colleagues, I would like to know

I have events where there is a unixTime field. But the _time field does not show correctly

how can I write in props.conf so that the _time field takes time from the unixTime field

gcusello · ‎04-22-2022

Hi @gitingua,

it's possible to set a props.conf to correctly read a unixtime as timestamp.

If you could share some sample of your logs, we could help you.

Ciao.

Giuseppe

gitingua · ‎04-22-2022

@gcuselloHi!

as you can see, my _time field is ahead of the unixTime field. And I would need the _time field to be the same as unixTime

i want to change my sourcetype in props.conf so that _time takes time from unixTime field

isoutamo · ‎04-22-2022

Hi

can you add some raw data inside </> block?

Some resources to use when you are onboarding data:

Basically you should configure props.conf so, that it take correct field/place from event and recognise timestamps correct. See those TIME_* and MAX_TIMESTAMP* for found correct place. Also LINE_BREAKER needs time by time some changes.

r. Ismo

How to write in props.conf so that the _time field takes time from the unixTime field?

field extraction

HTTP Event Collector

JSON

modular input

other

props.conf

scripted input

whitelist

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?