https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-Ignoring-Milliseconds/m-p/54966#M10700 <P>The timestamp is at the very beginning of a multi-line event. I have also played with TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD without luck.</P> <P>The current config I have is:</P> <P>NO_BINARY_CHECK=1<BR /> BREAK_ONLY_BEFORE_DATE=true<BR /> CHARSET=ISO-8859-1<BR /> LEARN_SOURCETYPE=true<BR /> SHOULD_LINEMERGE=true<BR /> TIME_FORMAT=%Y.%m.%d %H:%M:%S:%3N %Z<BR /> TIME_PREFIX=^<BR /> MAX_TIMESTAMP_LOOKAHEAD=27</P> <P>I've tried uploading a file into the index to make sure it wasn't a problem with the data previewer but it still comes in without the milliseconds.</P> Mon, 28 Sep 2020 14:42:40 GMT llow 2020-09-28T14:42:40Z https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-Ignoring-Milliseconds/m-p/54964#M10698 <P>I'm having problems getting Splunk (through data preview) from correctly parsing the following timestamp:</P> <P>2013.08.14 12:47:02:467 MST</P> <P>I am using the format below but the milliseconds are ignored and Splunk shows '8/14/13 12:47:02.000 PM' instad of '8/14/13 12:47:02.467 PM'</P> <P>TIME_FORMAT=%Y.%m.%d %H:%M:%S:%3N %Z</P> Wed, 04 Sep 2013 20:30:44 GMT https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-Ignoring-Milliseconds/m-p/54964#M10698 llow 2013-09-04T20:30:44Z https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-Ignoring-Milliseconds/m-p/54965#M10699 <P>Hi Llow,</P> <P>Your TIME_FORMAT looks OK. Is the timestamp that's being parsed at the start or mid-way through an event?</P> <P>One thing I've noticed with the data preview is that sometimes the preview doesn't fully extract the timestamp, while submitting the change and viewing it in Splunk proper will. I found this quite recently helping out with this question:</P> <P><A href="http://answers.splunk.com/answers/101487/striptime-not-parsing-time-stamps">http://answers.splunk.com/answers/101487/striptime-not-parsing-time-stamps</A></P> <P>The milliseconds were not detected in the preview, but were fine once put into Splunk.</P> <P>I'd recommend throwing your data into a test index to confirm for yourself.</P> <P>Hope this helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 04 Sep 2013 23:01:44 GMT https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-Ignoring-Milliseconds/m-p/54965#M10699 rturk 2013-09-04T23:01:44Z https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-Ignoring-Milliseconds/m-p/54966#M10700 <P>The timestamp is at the very beginning of a multi-line event. I have also played with TIME_PREFIX and MAX_TIMESTAMP_LOOKAHEAD without luck.</P> <P>The current config I have is:</P> <P>NO_BINARY_CHECK=1<BR /> BREAK_ONLY_BEFORE_DATE=true<BR /> CHARSET=ISO-8859-1<BR /> LEARN_SOURCETYPE=true<BR /> SHOULD_LINEMERGE=true<BR /> TIME_FORMAT=%Y.%m.%d %H:%M:%S:%3N %Z<BR /> TIME_PREFIX=^<BR /> MAX_TIMESTAMP_LOOKAHEAD=27</P> <P>I've tried uploading a file into the index to make sure it wasn't a problem with the data previewer but it still comes in without the milliseconds.</P> Mon, 28 Sep 2020 14:42:40 GMT https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-Ignoring-Milliseconds/m-p/54966#M10700 llow 2020-09-28T14:42:40Z https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-Ignoring-Milliseconds/m-p/54967#M10701 <P>Can you edit your original question to include two or three redacted sample events?</P> Thu, 05 Sep 2013 00:25:16 GMT https://community.splunk.com/t5/Getting-Data-In/TIME-FORMAT-Ignoring-Milliseconds/m-p/54967#M10701 rturk 2013-09-05T00:25:16Z