Splunk Cloud Platform
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to identify date as the timestamp(_time value)?

rolyrolex
Path Finder
‎03-08-2022 07:04 AM

Hello, 

I'm using Splunk Cloud.

I have date with this format and i want splunk to identify date as the timestamp(_time value).

{

               "date":     "2022-03-08T13:00:46.3204337+01:00",

               "Delay Time":     "0 Sec",

               "OrderNumber":      "6285071",

                "Key / CLE":    "622203040258800100A",

                 "Name":    "ZM400_FINCON9P"

             }

I have a source type defined like this but it's not working. 

rolyrolex_0-1646751819052.png

 

Did someone have a solution please ? 

Thank you all 

Labels (1)
Labels
Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎03-08-2022 10:40 AM

Try these Sourcetype definition properties (in the Advanced tab):

 

TIME_PREFIX = \"date\"\:\s*\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%7N%z
MAX_TIMESTAMP_LOOKAHEAD = 33

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎03-08-2022 08:07 AM

The Search Reference manual says %7Q is not a valid value (See https://docs.splunk.com/Documentation/Splunk/8.2.5/SearchReference/Commontimeformatvariables#:~:text...)  Try %7N, instead.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...