Getting Data In

How to edit my props.conf to take timestamp from an updated field?

Shark2112
Communicator

Hey everyone.

I read all nearest posts about timestamp and still can't make it work.

So, i have events like this:

....................."2016-11-01T21:33:16.000+0300",splunk,splunk...............one, u'Baseline Effort': None, u'Labels': '', u'Updated': u'2016-11-02T20:17:13.000+0300', u'\u03a3 Progress_progress'................

I need take timestamp from Updated field

props.conf

[Jira]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Custom
description =
disabled = false
pulldown_type = true
TIME_PREFIX = Updated': u'
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%z
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi Shark2112,

probably the problem is that apostrophe it's a special character, so you have to use backslash () before it.

So you'll have TIME_PREFIX = Updated\'\:\su\' and MAX_TIMESTAMP_LOOKAHEAD=28
In addition, if you have a csv, you can set the timestamp field using TIMESTAMP_FIELDS=your_timestamp_field

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi Shark2112,

probably the problem is that apostrophe it's a special character, so you have to use backslash () before it.

So you'll have TIME_PREFIX = Updated\'\:\su\' and MAX_TIMESTAMP_LOOKAHEAD=28
In addition, if you have a csv, you can set the timestamp field using TIMESTAMP_FIELDS=your_timestamp_field

Bye.
Giuseppe

0 Karma

Shark2112
Communicator

trouble was in apostrophes, thx alot

0 Karma

niketn
Legend

Your values of TIME_FORMAT and TIME_PREFIX seems to pick up the timestamp from example event you have provided here.

1) Can you please check whether MAX_TIMESTAMP_LOOKAHEAD is atleast 32 or more? You can increase this to very high number also just to see if at least one event is identified properly and also confirm that there is an issue with event break in that case.

2) Also look into your Event Breaks that all events are being identified properly. Otherwise individual events can become too large and identification of timestamp may become difficult.

If above two do not help can you provide at least two or more sample events after anonymizing from your logs, it would be possible to look further.

TIME_FORMAT=%Y-%m-%dT%H:%M:%S.%3N%z
TIME_PREFIX=Updated': u'
MAX_TIMESTAMP_LOOKAHEAD=32

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Shark2112
Communicator

trouble was in apostrophes, thank you for help anyway!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...