https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303061#M57243 <P>Ah right i get it now(think you had a typo in your command strp instead of strf for the stringTime. </P> <P>[sourcectypename]<BR /> LINE_BREAKER = ([\r\n]+)<BR /> TIME_FORMAT = as above<BR /> TIME_PREFIX = ^<BR /> MAX_TIMESTAMP_LOOKAHEAD = 27 ( i overset this this, initially it matched the actual length..thought it might be cutting it off)<BR /> Truncate 999999<BR /> SHOULD_LINEMERGE = false</P> <P>sample data:</P> <P>2017-07-11 08:54:12,815 31 [INFO] - - 5ms textHere MoreTEXT here[652].moretextHere(): MoreTextHere</P> Tue, 29 Sep 2020 14:49:44 GMT mwdbhyat 2020-09-29T14:49:44Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303054#M57236 <P>Hi there,</P> <P>I am extracting a timestamp in props.. everything is working fine except for the milliseconds at the end of it. </P> <P>Date format is 2017-07-11 08:54:12,815 -- my extraction is %Y-%m-%d %H-%M-%S,%3N </P> <P>That extraction works for similar data with a .(period) before the milliseconds instead of a comma - changing the end of the extract to .%3N - but it never works for a comma.</P> <P>Is there anything else needed when trying to extract milliseconds after a comma?</P> <P>Thanks</P> Tue, 11 Jul 2017 08:06:00 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303054#M57236 mwdbhyat 2017-07-11T08:06:00Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303055#M57237 <P>Hi mwdbhyat,<BR /> let me understand:<BR /> you have another sourcetype with time format %Y-%m-%d %H-%M-%S.%3N that works with other data and to read these data, do you want to use the same time format or to create another one?</P> <P>If you want to create another one it's easy because you insert the correct format in props.conf<BR /> TIME_FORMAT = %Y-%m-%d %H-%M-%S,%3N</P> <P>If instead you want to use the same sourcetype, don't set any time format, Splunk recognize both the time format (I tried it).</P> <P>Bye.<BR /> Giuseppe</P> Tue, 11 Jul 2017 08:22:20 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303055#M57237 gcusello 2017-07-11T08:22:20Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303056#M57238 <P>Hi Giuseppe,</P> <P>The issue im facing is that it will not extract the milliseconds from the timestamp when there is a comma in the timestamp before the milliseconds..</P> Tue, 11 Jul 2017 08:28:54 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303056#M57238 mwdbhyat 2017-07-11T08:28:54Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303057#M57239 <P>Hi mwdbhyat,<BR /> if you set the time format (with dot or comma), it's correct that Splunk doesn't recognize both timestamps but only ther one that matches your settings.<BR /> If instead you don't set the time format and leave that Splunk recognizes time format, it recognizes both the time formats.<BR /> I created a file with your two time formats and Splunk recognized both of them.<BR /> Bye.<BR /> Giuseppe</P> Tue, 11 Jul 2017 08:39:25 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303057#M57239 gcusello 2017-07-11T08:39:25Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303058#M57240 <P>@cusello, slight correction to your answer, Hour Minute and Second are separated by colons(:) not hyphens (-).<BR /> @mwdbhyat, please try out colon as separator for Time. I have added a run-anywhere search to test.</P> <PRE><CODE>| makeresults | eval epochTime=strptime("2017-07-11 08:54:12,815","%Y-%m-%d %H:%M:%S,%3N") | eval stringTime=strptime(epochTime,"%Y-%m-%d %H:%M:%S,%3N") | table epochTime stringTime </CODE></PRE> Tue, 11 Jul 2017 08:42:35 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303058#M57240 niketn 2017-07-11T08:42:35Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303059#M57241 <P>Hi guys, </P> <P>Thanks for the help. @niketnilay - that was a typo in this question <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> ..I used colons not hyphens. the makeresults query only returns epochTime value? </P> <P>The issue at hand is this - %Y-%m-%d %H-%M-%S,%3N should match 2017-07-11 08:54:12,815 but it doesnt take the milliseconds.. Thats the only problem..</P> <P>Not setting a TIME_FORMAT will be less performant so I dont want to leave it blank. </P> Tue, 11 Jul 2017 09:15:34 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303059#M57241 mwdbhyat 2017-07-11T09:15:34Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303060#M57242 <P>makeresults is a generating command which allows you to create your own variable/data to be displayed.</P> <P>strptime() converts string time to epoch and strftime() converts from epoch to string. If you compare the two values (epochTime and stringTime) you will see that 815 is present in both hence milliseconds is working as expected.</P> <P>Is this extraction being done while <STRONG>sourcetype</STRONG> definition in props.conf? Can you add your current settings and some sample raw data(mock or anonymize sensitive info where ever needed?</P> Tue, 11 Jul 2017 09:33:49 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303060#M57242 niketn 2017-07-11T09:33:49Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303061#M57243 <P>Ah right i get it now(think you had a typo in your command strp instead of strf for the stringTime. </P> <P>[sourcectypename]<BR /> LINE_BREAKER = ([\r\n]+)<BR /> TIME_FORMAT = as above<BR /> TIME_PREFIX = ^<BR /> MAX_TIMESTAMP_LOOKAHEAD = 27 ( i overset this this, initially it matched the actual length..thought it might be cutting it off)<BR /> Truncate 999999<BR /> SHOULD_LINEMERGE = false</P> <P>sample data:</P> <P>2017-07-11 08:54:12,815 31 [INFO] - - 5ms textHere MoreTEXT here[652].moretextHere(): MoreTextHere</P> Tue, 29 Sep 2020 14:49:44 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303061#M57243 mwdbhyat 2020-09-29T14:49:44Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303062#M57244 <P>This seems to work for me as well. Can you try createing a new sourcetype with only TIME_FORMAT and MAX_TIMESTAMP_LOOKAHEAD? Test with your data in preview mode whether it is working as expected or not.</P> <PRE><CODE>[customSourcetypename] DATETIME_CONFIG = MAX_TIMESTAMP_LOOKAHEAD = 24 NO_BINARY_CHECK = true SHOULD_LINEMERGE = false TIME_FORMAT = %Y-%m-%d %H:%M:%S,%3N category = Custom pulldown_type = true </CODE></PRE> <P><IMG src="https://community.splunk.com/storage/temp/208583-timestamp-with-millisecond.png" alt="alt text" /></P> Tue, 29 Sep 2020 14:49:55 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303062#M57244 niketn 2020-09-29T14:49:55Z https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303063#M57245 <P>Please take a look into: <BR /> <A href="https://answers.splunk.com/answers/688698/why-are-milliseconds-not-being-parsed-in-cluster-e.html">https://answers.splunk.com/answers/688698/why-are-milliseconds-not-being-parsed-in-cluster-e.html</A></P> Tue, 05 Feb 2019 10:49:50 GMT https://community.splunk.com/t5/Getting-Data-In/Timestamp-milliseconds-not-appearing/m-p/303063#M57245 freedomson 2019-02-05T10:49:50Z