https://community.splunk.com/t5/Getting-Data-In/Extract-timestamp-in-Epoch-microseconds-to-date/m-p/99353#M20780 <P>I think this is a display formatting thing more than anything else. I took your config and sample data and loaded it up. When I search on it, I do only see the time out to 3 decimals. I did a slightly different search, however, and found that Splunk is storing all 6 decimals, just truncating at display time.</P> <PRE><CODE>sourcetype=test | eval foo=_time | table _time, foo </CODE></PRE> <P>If you run this search, you'll see the the results formatted as</P> <PRE><CODE>5/11/11 1:51:16.192 AM 1305096676.192356 </CODE></PRE> <P>Which suggests that the time is being extracted/stored with full 6-decimal accuracy, but only being displayed with 3. I don't know the explanation for this behavior or if it can be changed - but it would be a good follow on question.</P> Wed, 11 May 2011 16:49:56 GMT dwaddle 2011-05-11T16:49:56Z https://community.splunk.com/t5/Getting-Data-In/Extract-timestamp-in-Epoch-microseconds-to-date/m-p/99352#M20779 <P>Hi, I need Splunk to recognize the timestamps down to microseconds.</P> <P>A sample event is listed below:</P> <PRE><CODE>1305096676.192356,64.127.105.40,10.1.81.74, </CODE></PRE> <P>Splunk 4.1.8 automatically(without any extra configuration) recognizes the epoch time down to the milliseconds. But I need the timestamp to be extracted to the microseconds.</P> <P>I have tried using props.conf with the following configuration:</P> <PRE><CODE>[test] TIME_PREFIX = ^ TIME_FORMAT = %s.%6N MAX_TIMESTAMP_LOOKAHEAD = 17 </CODE></PRE> <P>But didn’t work.</P> <P>Any suggestion?</P> <P>Thanks.</P> Wed, 11 May 2011 07:07:53 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-timestamp-in-Epoch-microseconds-to-date/m-p/99352#M20779 alextsui 2011-05-11T07:07:53Z https://community.splunk.com/t5/Getting-Data-In/Extract-timestamp-in-Epoch-microseconds-to-date/m-p/99353#M20780 <P>I think this is a display formatting thing more than anything else. I took your config and sample data and loaded it up. When I search on it, I do only see the time out to 3 decimals. I did a slightly different search, however, and found that Splunk is storing all 6 decimals, just truncating at display time.</P> <PRE><CODE>sourcetype=test | eval foo=_time | table _time, foo </CODE></PRE> <P>If you run this search, you'll see the the results formatted as</P> <PRE><CODE>5/11/11 1:51:16.192 AM 1305096676.192356 </CODE></PRE> <P>Which suggests that the time is being extracted/stored with full 6-decimal accuracy, but only being displayed with 3. I don't know the explanation for this behavior or if it can be changed - but it would be a good follow on question.</P> Wed, 11 May 2011 16:49:56 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-timestamp-in-Epoch-microseconds-to-date/m-p/99353#M20780 dwaddle 2011-05-11T16:49:56Z