Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create source type for 13 digit epoch?

loganramirez
Path Finder
‎08-07-2023 08:40 AM

I have json data coming in that contains a 13 digit epoch value in eventTime, but %s appears to only support 10 digits (https://docs.splunk.com/Documentation/Splunk/8.2.8/Data/Configuretimestamprecognition?ref=hk)

What i'm trying to do is create a source type that will set _time to the value in eventTime when consumed, but struggling to solve it.

I did try setting TIMESTAMP_FIELDS to eventTime and then TIME_FORMAT to %s, but that did not work.

But, I also manually added a 10 digit epoch and it still did not work, so maybe i'm just chasing the wrong idea.

I also tried 'AUTO' but it did not find it.

Looking to learn!  Thank you!

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2023 08:47 AM

Hi @loganramirez,

please, use this TIME_FORMAT:

TIME_FORMAT = %s%3N

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

loganramirez
Path Finder
‎08-07-2023 08:50 AM

Want to note that I also found this:
https://community.splunk.com/t5/Getting-Data-In/How-to-assign-custom-JSON-field-with-epoch-time-as-t...


And my raw json looks like:
"eventTime": 1691354089743,

So I also tried

TIMESTAMP_FIELDS: eventTime
TIME_FORMAT: %s%3N
TIMESTAMP_PREFIX: \"eventTime\":
KV_MODE: json

But still getting the orange exclamation mark.

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2023 08:54 AM

Hi @loganramirez,

please try using the default for json and my TIME_FORMAT:

[your_sourcetype]
TIME_FORMAT: %s%3N
TIMESTAMP_PREFIX: \"eventTime\":
KV_MODE: none
INDEXED_EXTRACTIONS = json

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-07-2023 08:47 AM

Hi @loganramirez,

please, use this TIME_FORMAT:

TIME_FORMAT = %s%3N

Ciao.

Giuseppe

Reply
Solved! Jump to solution

loganramirez
Path Finder
‎08-07-2023 08:54 AM

well, heck, I believe this worked!  Thank you!

 

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...