How do you extract a timestamp in an event like this "2018-12-05T00:31:03.711Z"?
Like, what do we need to write in TIME_FORMAT in props.conf?
Hope this should work..
[<sourcetype>]
SHOULD_LINEMERGE = false
TIME_PREFIX = ^\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z
MAX_TIMESTAMP_LOOKAHEAD = 25
Hi @vishaltaneja07011993! Can you post one whole event? Because it matters where the timestamp is situated in the event and you might need to configure TIME_PREFIX accordingly.
I think you're asking how Splunk identifies the timestamp in the raw logs rather than how Splunk extracts it
Hope this should work..
[<sourcetype>]
SHOULD_LINEMERGE = false
TIME_PREFIX = ^\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N%Z
MAX_TIMESTAMP_LOOKAHEAD = 25
No, no, no! Never, EVER let Splunk do anything related to timestamping or sourcetyping automatically!
Correct. ALWAYS explicitly tell Splunk how to line break and timestamp