Hi all,
I have have some inconsistent timestamp parsing issues that I believe are due to an incorrect TIME_FORMAT value in my props.conf file and I am hoping that someone may be able to clarify what I've done wrong here. I get timestamps ingested into my Splunk instance with a format like this:
2017-01-31T19:35:43.379Z
This is the TIME_FORMAT value I have been using:
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3N
It is mostly consistent but sometimes appears to not get parsed. Splunk Support has only been able to suggest at the Z at the end might be the issue, and on review of the documentation I don't see a specific way to note that in the TIME_FORMAT string. Does anyone know how to structure TIME_FORMAT to properly capture this?
I am not able to alter this data in any way so I must work with this format as-is.
↧