https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307956#M92406 <P>When have some queries where milliseconds are important. There is no difficulty if the ms value is stored in the index so that showing the epoch time. We get when milliseconds are in the original time stamp, but when it is not the original time stamp and the two types are intermixed. Examples:<BR /> Works well:<BR /> Source Time Stamp -- 2018-03-29T18:38:51.661Z<BR /> _time in epoch secs 1522348731.661 -- not decimal and milliseconds<BR /> Problem:<BR /> Source Time Stamp -- 2018-03-29T00:00:38+0000,<BR /> _time in epoch secs 1522281638 -- note NO milliseconds <BR /> I need this to show 1522281638.000 </P> <P>I would like all _time stamps to include a ms value even if the source does not.<BR /><BR /> I have tried SEDCMD and converted the stored log, but NOT splunk _time . I assume this is because the time stamp is<BR /> extracted before the SEDCMD. </P> <P>What would be a good method? Is there a global parameter that will cause the ms value to always be filled to .000 on data with only whole seconds?</P> Thu, 29 Mar 2018 19:01:23 GMT jimdiconectiv 2018-03-29T19:01:23Z https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307956#M92406 <P>When have some queries where milliseconds are important. There is no difficulty if the ms value is stored in the index so that showing the epoch time. We get when milliseconds are in the original time stamp, but when it is not the original time stamp and the two types are intermixed. Examples:<BR /> Works well:<BR /> Source Time Stamp -- 2018-03-29T18:38:51.661Z<BR /> _time in epoch secs 1522348731.661 -- not decimal and milliseconds<BR /> Problem:<BR /> Source Time Stamp -- 2018-03-29T00:00:38+0000,<BR /> _time in epoch secs 1522281638 -- note NO milliseconds <BR /> I need this to show 1522281638.000 </P> <P>I would like all _time stamps to include a ms value even if the source does not.<BR /><BR /> I have tried SEDCMD and converted the stored log, but NOT splunk _time . I assume this is because the time stamp is<BR /> extracted before the SEDCMD. </P> <P>What would be a good method? Is there a global parameter that will cause the ms value to always be filled to .000 on data with only whole seconds?</P> Thu, 29 Mar 2018 19:01:23 GMT https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307956#M92406 jimdiconectiv 2018-03-29T19:01:23Z https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307957#M92407 <P>Hey Jim,</P> <P>You may need to try something like this <A href="http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Configuretimestamprecognition">http://docs.splunk.com/Documentation/Splunk/7.0.2/Data/Configuretimestamprecognition</A></P> <P>I had a similar issue where one event would have milliseconds but the other did not, so I create a props.conf for it.</P> <PRE><CODE>TIME_FORMAT = &lt;strptime-style format&gt; </CODE></PRE> <P>In your case I think it would look something like this:</P> <PRE><CODE>TIME_FORMAT =%Y-%m-%dT%H:%M:%S.%q </CODE></PRE> <P>You can play with this in the GUI to see how it works, if you have a sample log and try Settings&gt;Add Data&gt;Upload</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4686i4CBEE732E9A41B79/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 29 Mar 2018 22:08:38 GMT https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307957#M92407 hos_2 2018-03-29T22:08:38Z https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307958#M92408 <P>hos_2 ,<BR /> I have used time_stamp recognition before, but never in a case where there were intermixed formats like this, one with millisec and one without. Did you specify a single Format in your case? Does just showing a format with .%q force all to have millisecs. I will try it. Thanks for the reply ! </P> Tue, 29 Sep 2020 18:49:55 GMT https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307958#M92408 jimdiconectiv 2020-09-29T18:49:55Z https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307959#M92409 <P>I believe I had to teach Splunk to recognize the different using Regex and the time_format props.conf settings.</P> <P>The Add data GUI in the SH really helped me accomplish this as i could test my regex and time_format settings on the fly and see how it would affect my data before it was ingested.</P> Thu, 29 Mar 2018 22:24:02 GMT https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307959#M92409 hos_2 2018-03-29T22:24:02Z https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307960#M92410 <P>I used this Splunk answers when i ran into this problem:</P> <P><A href="https://answers.splunk.com/answers/499990/is-it-possible-to-assign-different-timestamps-base.html">https://answers.splunk.com/answers/499990/is-it-possible-to-assign-different-timestamps-base.html</A></P> <P>I forgot to mention I also had to use Transforms</P> Thu, 29 Mar 2018 22:28:30 GMT https://community.splunk.com/t5/Splunk-Search/Force-milliseconds-into-raw-when-milliseconds-not-in-source-file/m-p/307960#M92410 hos_2 2018-03-29T22:28:30Z