<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: Why is Splunk not indexing in milli seconds? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435863#M76055</link>
    <description>&lt;P&gt;it worked well. Thank you @harsmarvania57 &lt;/P&gt;</description>
    <pubDate>Fri, 31 Aug 2018 07:50:38 GMT</pubDate>
    <dc:creator>siva_cg</dc:creator>
    <dc:date>2018-08-31T07:50:38Z</dc:date>
    <item>
      <title>Why is Splunk not indexing in milli seconds?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435856#M76048</link>
      <description>&lt;P&gt;Hi All,&lt;/P&gt;

&lt;P&gt;I configured an input in which the timestamp field is in format 20180830112930314 (%Y%m%d%H%M%S%3N). The same has been configured in props.conf on Splunk Indexers, but still, I am seeing event time as 2018/08/30 11:29:30.000. I mean Splunk is showing 000 as milli seconds even if the timestamp field has milli seconds other than 000. Could you please help me to find out the issue? Thanks in advance.&lt;/P&gt;</description>
      <pubDate>Thu, 30 Aug 2018 09:32:48 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435856#M76048</guid>
      <dc:creator>siva_cg</dc:creator>
      <dc:date>2018-08-30T09:32:48Z</dc:date>
    </item>
    <item>
      <title>Re: Why is Splunk not indexing in milli seconds?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435857#M76049</link>
      <description>&lt;P&gt;Hi @siva_cg,&lt;/P&gt;

&lt;P&gt;Can you please let us know, universal forwarder is sending data directly to Indexers or it goes to Heavy Forwarder and then Indexer ? Also it will be good to if you will provide your props.conf stanza.&lt;/P&gt;</description>
      <pubDate>Thu, 30 Aug 2018 09:59:40 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435857#M76049</guid>
      <dc:creator>harsmarvania57</dc:creator>
      <dc:date>2018-08-30T09:59:40Z</dc:date>
    </item>
    <item>
      <title>Re: Why is Splunk not indexing in milli seconds?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435858#M76050</link>
      <description>&lt;P&gt;Hi &lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/163905"&gt;@harsmarvania57&lt;/a&gt;,&lt;/P&gt;

&lt;P&gt;Data Flow is: UF -&amp;gt; Intermediate Forwarder -&amp;gt; Indexer&lt;BR /&gt;
props.conf&lt;BR /&gt;
[st]&lt;BR /&gt;
TZ = GMT&lt;BR /&gt;
FIELD_DELIMITER = ,&lt;BR /&gt;
TIMESTAMP_FIELDS = Timestamp&lt;BR /&gt;
TIME_FORMAT = %Y%m%d%H%M%S%3N&lt;BR /&gt;
SHOULD_LINEMERGE = false&lt;/P&gt;

&lt;H1&gt;TIME_PREFIX = ^&lt;/H1&gt;

&lt;H1&gt;LINE_BREAKER = (^\d{17})&lt;/H1&gt;

&lt;P&gt;MAX_TIMESTAMP_LOOKAHEAD = 17&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 21:05:20 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435858#M76050</guid>
      <dc:creator>siva_cg</dc:creator>
      <dc:date>2020-09-29T21:05:20Z</dc:date>
    </item>
    <item>
      <title>Re: Why is Splunk not indexing in milli seconds?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435859#M76051</link>
      <description>&lt;P&gt;Your intermediate forwarder is Universal Forwarder or Heavy Forwarder ? If it is Heavy Forwarder, in that case you need to apply props.conf on Heavy Forwarder not on Indexer. If it is Universal forwarder then please provide sample data&lt;/P&gt;</description>
      <pubDate>Thu, 30 Aug 2018 10:09:46 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435859#M76051</guid>
      <dc:creator>harsmarvania57</dc:creator>
      <dc:date>2018-08-30T10:09:46Z</dc:date>
    </item>
    <item>
      <title>Re: Why is Splunk not indexing in milli seconds?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435860#M76052</link>
      <description>&lt;P&gt;It is Universal forwarder. Due to sensitivity of data, everything is masked and only event is provided. Apologies.&lt;BR /&gt;
20180830113004270,1,45,09e3ab1a,IRxxxxxx,USAxxxxxxxx,,,IRxxxx,,989368837464,,xxxxxxxx,00000000,0,0.0&lt;/P&gt;</description>
      <pubDate>Thu, 30 Aug 2018 11:34:10 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435860#M76052</guid>
      <dc:creator>siva_cg</dc:creator>
      <dc:date>2018-08-30T11:34:10Z</dc:date>
    </item>
    <item>
      <title>Re: Why is Splunk not indexing in milli seconds?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435861#M76053</link>
      <description>&lt;P&gt;I have tested props.conf which you have provided with sample data and it is not extracting any time stamp so I guess splunk is assigning default timestamp which is on server at the time of indexing data.&lt;/P&gt;

&lt;P&gt;When you use FIELD_DELIMITER, at that time I guess you need to provide all field name as well. So i have tested below props.conf with sample data and it is working fine.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;[st]
TZ = GMT
FIELD_DELIMITER = ,
FIELD_NAMES = FIELD1,FIELD2,FIELD3,FIELD4,FIELD5,FIELD6,FIELD7,FIELD8,FIELD9,FIELD10,FIELD11,FIELD12,FIELD13,FIELD14,FIELD15,FIELD16
TIME_FORMAT = %Y%m%d%H%M%S%3N
SHOULD_LINEMERGE = false
MAX_TIMESTAMP_LOOKAHEAD = 17
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;Sample Data which I used&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;20180830113004270,1,45,09e3ab1a,IR1234,USA1234,,,IR3456,,989368837464,,hasdghghj,00000000,0,0.0
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 30 Aug 2018 12:29:37 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435861#M76053</guid>
      <dc:creator>harsmarvania57</dc:creator>
      <dc:date>2018-08-30T12:29:37Z</dc:date>
    </item>
    <item>
      <title>Re: Why is Splunk not indexing in milli seconds?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435862#M76054</link>
      <description>&lt;P&gt;Hey @siva_cg,&lt;/P&gt;

&lt;P&gt;Did @harsmarvania57 's solution in the comment chain work? Let me know so that I can convert it to an answer. Then, you can approve it, and also, give him some sweet sweet upvotes &lt;/P&gt;</description>
      <pubDate>Thu, 30 Aug 2018 20:53:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435862#M76054</guid>
      <dc:creator>mstjohn_splunk</dc:creator>
      <dc:date>2018-08-30T20:53:51Z</dc:date>
    </item>
    <item>
      <title>Re: Why is Splunk not indexing in milli seconds?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435863#M76055</link>
      <description>&lt;P&gt;it worked well. Thank you @harsmarvania57 &lt;/P&gt;</description>
      <pubDate>Fri, 31 Aug 2018 07:50:38 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435863#M76055</guid>
      <dc:creator>siva_cg</dc:creator>
      <dc:date>2018-08-31T07:50:38Z</dc:date>
    </item>
    <item>
      <title>Re: Why is Splunk not indexing in milli seconds?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435864#M76056</link>
      <description>&lt;P&gt;Great, I have converted my comment to answer so you can accept &amp;amp; upvote it.&lt;/P&gt;</description>
      <pubDate>Fri, 31 Aug 2018 08:06:08 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/Why-is-Splunk-not-indexing-in-milli-seconds/m-p/435864#M76056</guid>
      <dc:creator>harsmarvania57</dc:creator>
      <dc:date>2018-08-31T08:06:08Z</dc:date>
    </item>
  </channel>
</rss>

