Check your strftime is correct in the props.conf

A simple method on checking if your strftime (TIME_FORMAT=) in the props.conf matches your log file timestamp format.

strftime(X,Y)
This function takes a UNIX time value, X, as the first argument and renders the time as a string using the format specified by Y. The UNIX time must be in seconds. Use the first 10 digits of a UNIX time to use the time in seconds.

| makeresults
| eval TIME_FORMAT=strftime(_time,"%F,%T,%3N")

More examples: https://docs.splunk.com/Documentation/Splunk/7.2.4/SearchReference/DateandTimeFunctions

Share This:

Leave A Comment?