Dear All, I am getting data from the Search head in json format. The first field of the event is timestamp and it is in epoch time format("timestamp": 1609414219738696) with 16 digits. My problem is i need to onboard data with _time value from timestamp field. So in props.conf file of Cluster master i updated as below TIMESTAMP_FIELDS = timestamp TIME_FORMAT = %s%6N But the _time field is not populated properly . And i am getting 2 values in indexed data for timestamp field as below. Please help me on this  ... View more

In raw data, timestamp field value is 1606730113962778 but for the timestamp field in the interesting fields list i am getting two values which are none and 606730113962778. Below are the props configuration Because of that _time is not properly getting configured. [Sourcetype] INDEXED_EXTACTION =json NO_BINARY_CHECK = true TIMESTAMP_FIELDS= timestamp TIME_FOMAT=%s%6N pulldown_type=1   ... View more

Please help me in Finding the 3rd or nth largest value from a field... SALARY 10000 30000 20000 80000 60000 93000 55000 we need to get 3rd largest as 60000 Please give the spl and help me ... View more