Hello,
I have timestamps in the following format.
1383058343.661030
I added the following to my props.conf.
TIME_FORMAT = %s%6N
This was in a Splunk cluster. After the bundle was applied, the events stopped breaking like they normally do. Instead they started to be grouped together.
Questions:
You are missing the dot.
TIME_FORMAT = %s.%6N
/K
I did indeed. Thanks!
And yes, this configuration is supposed to go to the indexers (or to a Heavy Forwarder - whichever comes first)
http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings
/K