Data model _time field format

BernardEAI — Fri, 23 Apr 2021 13:09:33 GMT

We are trying to create a data model with a custom _time field. We created the data model, and added a calculated field (SUBMIT_DATE_cron_e) that calculates a UNIX time with microseconds (like 1619093900.0043). We then created another calculated field called _time, and set this equal to SUBMIT_DATE_cron_e. This effectively overwrites the inherited (or original) _time field. These steps worked well.

A problem occurred when setting the data model to accelerated. If I do a search on the data model during the acceleration build process, and I inspect the _time field, I see times in UNIX format with microseconds (like 1619093900.0043), as intended. However as the build progresses, the _time values change to UNIX time with no microseconds (like 1619093900). It looks like the _time field is truncated to have only seconds.

Is this according to design for accelerated data models? Is there a way to have a _time field in UNIX format with micro seconds?

Re: Data model _time field format

easiedu_splunk — Mon, 13 Jun 2022 18:46:21 GMT

This is possible, but this approach requires a datamodel amendment.

If an ordinary search of the index showed timestamps with sub-seconds:

but the equivalent tstats search did not:

the workaround is to modify the datamodel to add another field which takes a copy of the full timestamp. That additional field can either be retained like other fields or can be used to reinstate the timestamp with sub-second detail. For example, create a calculated field “time_millis” that just takes a copy of _time.

Now, if you return to your tstats search from earlier and include time_millis, you can display time_millis and/or use it to reinstate the milliseconds of the _time field (i.e. | eval _time=time_miilis):

topic Data model _time field format in Splunk Search

Data model _time field format

Re: Data model _time field format