- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- regex for TIME_FORMAT in epoch milliseconds time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey There !
I have this sort of entry in my event :
startedTime: 1528840802983
this is in epoch time
I was trying a regex for the TIME_FORMAT
TIME_PREFIX=\"startedTime\": \"
TIME_FORMAT= %s%3N
Could you pl correct me on the TIME_FORMAT
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As mayurr98 stated, I think your props.conf TIME_PREFIX parameter should look like this. Since you have 13 digits in your epoch time I'm guessing it goes out to milliseconds so your TIME_FORMAT may already be correct. Let us know if that works.
TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As mayurr98 stated, I think your props.conf TIME_PREFIX parameter should look like this. Since you have 13 digits in your epoch time I'm guessing it goes out to milliseconds so your TIME_FORMAT may already be correct. Let us know if that works.
TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
no it dint work
this is my sample
No it dint work,
this is my sample
6/13/18
4:10:04.000 PM
{ [-]
cdate: Wed Jun 13 16:10:04 2018
finalStatus: SUCCEEDED
id: application_xxxxx
name: Export job (158882): xxxxxxxxxxxxxx
startedTime: 1528840802983
user: xxxx
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using your sample event I was able to ingest the data with the proper timestamp using the following props.conf
[test_sourcetype]
SHOULD_LINEMERGE = true
TIME_PREFIX = startedTime:\s
TIME_FORMAT = %s%3N
LINE_BREAKER = \}([\r\n]+)
BREAK_ONLY_BEFORE_DATE = false
MAX_TIMESTAMP_LOOKAHEAD = 300
TRUNCATE = 1000
Keep in mind that this was done with only a single event so your MAX_TIMESTAMP_LOOKAHEAD and TRUNCATE values may have to be adjusted as necessary. Please let me know if this helped.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you able to show us your current props.conf? Is it just the timestamp that you're having trouble with?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1528840802983 is in milliseconds? I think its in seconds then in that case TIME_FORMAT should be %s and TIME_PREFIX should be startedTime\:\s
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No it dint work,
this is my sample
6/13/18
4:10:04.000 PM
{ [-]
cdate: Wed Jun 13 16:10:04 2018
finalStatus: SUCCEEDED
id: application_xxxxx
name: Export job (158882): xxxxxxxxxxxxxx
startedTime: 1528840802983
user: xxxx
}
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
