Hello..
Splunk 7.0.5, I have a data source as follows, which has 1, 2 or 3 digit values for millisecond. :
Tue Oct 08 2019 14:47:33 tid="d83af63f5acd9c510bd440d" object="EnterpriseSalesInformation" rule_type="request" domain="SOAPvs" domain="SOAPvs" trace_id="30fb2039-9910-4bd5-b012-3fe63dd874af" time="2019-10-08T14:47:33:4-04:00"
Tue Oct 08 2019 14:47:29 tid="d83af63f5acd9c180b220fd" object="EnterpriseSalesInformation" rule_type="request" domain="SOAPvs" domain="SOAPvs" trace_id="24c792c0-80ea-476b-95b2-3fe63dd8876c" time="2019-10-08T14:47:29:91-04:00"
Tue Oct 08 2019 14:47:29 tid="d83af63f5acd9c180bd203d" object="EnterpriseSalesInformation" rule_type="request" domain="SOAPvs" domain="SOAPvs" trace_id="7446787d-76b8-4eca-924f-3fe63dd8c9ed" time="2019-10-08T14:47:29:181-04:00"
Which i am trying to process using this props.conf:
[teshting]
disabled = false
DATETIME_CONFIG = /etc/apps/teshtapp/local/customdatetime.xml
TIME_PREFIX = time="
# TIME_FORMAT = %Y-%m-%dT%H:%M:%S:%3Q%z
# TIME_FORMAT = %Y-%m-%dT%H:%M:%S:%3N%z
MAX_TIMESTAMP_LOOKAHEAD = 40
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
TRUNCATE = 1000
( You can see from my commented lines, i tried to deal with this using %3Q and %3N to no avail, both caused a ms value of 4 to be 400 and 91 to be 910 )
In reading other comments on here, i think i need to use a custom datetime.xml file to handle this... so i wrote customdatetime.xml referenced above in my props.conf and detailed here:
↧