microseconds in time range of search

my_splunk — Thu, 23 May 2013 08:40:53 GMT

Hi, i have events with microseconds in timestamp, for example 2013-02-13:22:09:43.687263.
I see that in custom time setting, in the time range picker of search app, is possible to use only milliseconds, so in my search i lose some events which have difference of microceconds in timestamp.

i have used earliest and latest time modifiers at search:

sourcetype = mysourcetype  timeformat="%Y-%m-%d:%H:%M:%S.%6N" earliest="2013-02-13:22:09:43.687223" latest="2013-02-13:22:09:43.687413"

to find events (financial transactions) between the two timestamps, but this search give me no results. In fact in search job inspector i see this:

searchEarliestTime 1360789783.687000000

searchLatestTime 1360789783.687000000

so microseconds are not used by search...

Is possible to use microseconds in time range? How?
Thanks

Re: microseconds in time range of search

bshuler_splunk — Fri, 24 Oct 2014 23:19:21 GMT

I would extract the nanoseconds and then search based on them:

 | stats count |  eval text="2013-02-13:22:09:43.687223" | rex field=text "\d+\-\d+\-\d+\:\d+\:\d+\:\d+\.(?<nanoseconds>\d+)" | search nanoseconds>687222

 | stats count |  eval text="2013-02-13:22:09:43.687223" | rex field=text "\d+\-\d+\-\d+\:\d+\:\d+\:\d+\.(?<nanoseconds>\d+)" | search nanoseconds>687223

topic Re: microseconds in time range of search in Getting Data In

microseconds in time range of search

Re: microseconds in time range of search