I have exported an SQLite database in to an XML file (Using Navicat) and then indexed it in to Splunk. However Time and Date information seem to be in a strange format, any ideas what it is? or how I can get it to display properly?
Creation_Time 1303723121371 /Creation_Time
Test_Date 1301011200000 /Test_Date
Thanks
Guy
I have tried with the following in the props.conf but still getting the same issue
[bayer_glucofacts]
BREAK_ONLY_BEFORE = ([\r\n]+)
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TIME_PREFIX =
TIME_FORMAT = %s%3N
pulldown_type = 1
It's not %s. As I said, it's %s%3N, and you also should include a TIME_PREFIX to locate the time, since there are many other timestamps visible earlier in the event.
Hello,
Thanks for your replies. I have added TIME_FORMAT=%s in to props.conf, however on "data preview" for the sourcetype defined in props.conf and inputs.conf it is still incorrect.
I would really appreciate any help!
Fields Incorrect
Creation_Time
Test_Date
Last_Modification_Time
Data Preview
<RECORD>
Thanks
It is epoch millisecond time. You can specify the format in Splunk with
TIME_FORMAT = %s%3N
It's epoch or Unix time.
http://splunk-base.splunk.com/answers/8428/how-do-i-recognize-a-time-in-epoch-seconds
Yes I you are correct.
To be accurate, these seem to be epoch times with millisecond precision, which is why you see 13 digits instead of the usual 10 that are necessary to represent seconds since the epoch.
1303723121371 = 1303723121.371 seconds since the epoch = Mon, 25 Apr 2011 09:18:41.371 GMT