https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21617#M3551 <P>Indeed, same question, I forgot about that as I was carried out with the newest version and the bug correction for epoch in 4.2.1. I will continue the threat you indicated (probably makes more sense). Thank you for this.</P> Fri, 03 Jun 2011 08:12:10 GMT OL 2011-06-03T08:12:10Z https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21615#M3549 <P>Hello All,</P> <P>I have a log which has the following unix tai64n timestamp: @400000004ddf8b5a1803be44. Splunk 4.2.1 recognises it at index time but ignores the milliseconds.</P> <P>Is there a way to change this behaviour and parse the milliseconds at index time?</P> <P>It seems that I cannot try the "TIME_FORMAT = %s%3N" here as the timestamp is in hex. The datetime.xml mentions a "subsecond" for the utcepoch, but I don't know how to use it.</P> <P>Splunk seems to recognise only the first 16 charaters. I tried to remove the "16" in the regex in the datetime.xml ( ^@[\da-fA-F]{16,24} ), but this didn't help neither.</P> <P>Any idea anyone?</P> <P>Regards,<BR /> Olivier</P> Thu, 02 Jun 2011 22:35:50 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21615#M3549 OL 2011-06-02T22:35:50Z https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21616#M3550 <P>Related (possibly the same) question at <A href="http://splunk-base.splunk.com/answers/4540/does-splunk-support-indexing-of-timestamps-in-tai64nlocal-format">http://splunk-base.splunk.com/answers/4540/does-splunk-support-indexing-of-timestamps-in-tai64nlocal-format</A></P> Thu, 02 Jun 2011 22:43:00 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21616#M3550 dwaddle 2011-06-02T22:43:00Z https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21617#M3551 <P>Indeed, same question, I forgot about that as I was carried out with the newest version and the bug correction for epoch in 4.2.1. I will continue the threat you indicated (probably makes more sense). Thank you for this.</P> Fri, 03 Jun 2011 08:12:10 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21617#M3551 OL 2011-06-03T08:12:10Z https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21618#M3552 <P>May I ask how you make splunk accept tai64n time?</P> <P>I have some imported events but I don't know how to process them, e.g.</P> <P>@400000004de5bcd921686bec tcpserver: status: 0/40</P> <P>@400000004de5bcd921686034 tcpserver: end 10611 status 256</P> <P>I am happy even without miliseconds.</P> <P>Regards,<BR /> Keith </P> Fri, 03 Jun 2011 12:12:02 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21618#M3552 keiichilam 2011-06-03T12:12:02Z https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21619#M3553 <P>Well, if you are on Splunk 4.2.1 (the version I have), it simple: let Splunk eat the log and it will get the correct timestamp without the milliseconds.</P> <P>The problem comes when you need the milliseconds <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Fri, 03 Jun 2011 12:15:01 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21619#M3553 OL 2011-06-03T12:15:01Z https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21620#M3554 <P>Please take a look into: <BR /> <A href="https://answers.splunk.com/answers/688698/why-are-milliseconds-not-being-parsed-in-cluster-e.html">https://answers.splunk.com/answers/688698/why-are-milliseconds-not-being-parsed-in-cluster-e.html</A></P> Tue, 05 Feb 2019 10:11:08 GMT https://community.splunk.com/t5/Splunk-Search/Parsing-epoch-time-tai64n-with-milliseconds/m-p/21620#M3554 freedomson 2019-02-05T10:11:08Z