Check your strftime is correct in the props.conf

A simple method on checking if your strftime (TIME_FORMAT=) in the props.conf matches your log file timestamp format.

This function takes a UNIX time value, X, as the first argument and renders the time as a string using the format specified by Y. The UNIX time must be in seconds. Use the first 10 digits of a UNIX time to use the time in seconds.

| makeresults
| eval TIME_FORMAT=strftime(_time,"%F,%T,%3N")

More examples:

Share This:

Leave A Comment?