Hi, I need Splunk to recognize the timestamps down to microseconds.
A sample event is listed below
"2014-06-03-18.30.02.188462","SYSADMIN","DB2AUDIT",2,0,"","dsbdbadm","DSBDBADM",,,"*LOCAL.dsbdbadm.140603103002","db2audit",,,,,,,,,,,,,,,
test]
TIME_PREFIX = ^"
TIME_FORMAT = %Y-%m-%d-%H.%M.%S.%6N
But didn’t work.
Any suggestion?
Thanks.
I try to change the setting
In the props.conf
[test]
SHOULD_LINEMERGE=false
TIME_FORMAT=\"%Y-%m-%d-%H.%M.%S.%6N\"
In the inputs.conf
[monitor:///audit/03/instance/audit.del]
sourcetype = test
source = sat
index = sat
But splunk still can't get the log
We try delete the microseconds in the audit.del, the splunk can get the log.
Please advise!
This worked fine with your sample data
[timetest]
SHOULD_LINEMERGE=false
TIME_FORMAT=\"%Y-%m-%d-%H.%M.%S.%6N\"
Have you tried omitting TIME_PREFIX?