I'm struggling to get my Splunk 6.0.1 to recognise an epoch time for all events. I have specified a timestamp format of %s.%3N to assist identifying millisecond times but for some rows it's picking up an earlier field which is part of an IPv6 address.
For example the following line works correctly:
Request,555,10.22.16.23,100010001,endpointID,GECHO,COMMAND TYPE,2,1405918237788,,SUCCESS,
However this one doesn't, as it picks up 2:21 as the time:
Response,6c80f937-fb0c-4dd8-9df9-4e2d5d5eec95,2001:8888:0:2:21d:2300:5f6:811,100010001,,,ON_DEMAND_RESPONSE,,1405918239130,1405918239130,SUCCESS,
I can managed to get it to recognise but only if I moved the fields to the beginning and specified that "Timestamp never extends more than 13 chars into the event"
Can anyone provide assistance please. Unfortunately I'm not in a position whereby I can ask for a reordering of columns without incurring a commercial cost.
Many thanks.
Matt
... View more