Time-Date recognize Unix Epoch Time milliseconds

ryastrebov · ‎03-29-2013

Hello!
I have log contains time-date in Unix Epoch format (milliseconds).
One event fragments is:

04,013c5f8ecc0f,013c5f8ecd04,0038af,...

Desired date is contained in column 3 (013c5f8ecd04).

During indexing process Splunk some date perceive correctly, and some not. This values (013c5f8ecd04) Splunk understand as 11/28/11 10:53:54.000 PM. It is incorrect.

Necessary to date indexing perceived correctly.
How can this be done?

Best regards,
Roman

ryastrebov · ‎03-31-2013

Thanks for the warning! I do not know really how to correctly extract the information about the date and time from the field... Because in most cases the date is retrieved correctly.

sideview · ‎03-29-2013

beware when you do get it working correctly, your date_hour fields and all your date_* fields will be calculated as though you had set the timezone explicitly to GMT, which effectively means all your date_hour values will be off by whatever your timezone offset is, and all your other date_* fields will be slightly unreliable too. This has bitten me in the past.

yannK · ‎03-29-2013

Define a timeprefix and timeformat extraction in props.conf for this sourcetype
To verify use the data preview.

ryastrebov · ‎03-29-2013

Unlikely because in this file same part of the dates correctly perceived

eashwar · ‎03-29-2013

i hope it is because of the TIME ZONE configured incorrectly.

Time-Date recognize Unix Epoch Time milliseconds

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!