All Apps and Add-ons

I need to display with milliseconds in a Timeline visualizations graph, is this possible?

robertlynch2020
Motivator

I need to be able to see Milliseconds accuracy in TimeLine visualizations graph.

At the moment all events fall into a 1 second bucket, at _time is set this way.

so all events always start at the 1 second + duration. I want the events to start at the exact milliseconds. If i change _time to have %SN this does not add on the milliseconds. Even with the span=1ms. Is this possible?

Perhaps how in take the data in is not correct.
TIME_FORMAT = %s%3N
TIME_PREFIX = \"startTime\":

| tstats summariesonly=true max(All_TPS_Logs.duration) AS All_TPS_Logs.duration FROM datamodel=MLC_TPS_DEBUG4 WHERE (nodename=All_TPS_Logs host=TimeSeries) All_TPS_Logs.name =*** GROUPBY _time, All_TPS_Logs.fullyQualifiedMethod span=1ms | rename All_TPS_Logs.fullyQualifiedMethod as opId | convert timeformat="%Y-%m-%d %H:%M:%S:%3N" ctime(_time) AS _time | table _time opId All_TPS_Logs.duration

alt text

0 Karma
1 Solution

woodcock
Esteemed Legend

You cannot force something to be there that is not. You need to make sure that the original events contain millisecond granularity. Do they? If they do, then you need to make sure that Splunk inputs.conf is properly configured to receive ms into _time so that the events in Splunk have ms granularity. Have you? Even so, it is possible that tstats does not support ms, but I think this is unlikely, given that this works for timechart and other commands.

View solution in original post

0 Karma

BernardEAI
Communicator

After getting stuck with this problem for many hours, I have also determined that the tstats latest command does not support milliseconds. It seems the milliseconds are recoded in the tsidx file (in the _time field), however when we make use of the tstats latest command, the records are only searched on second resolution, not millisecond. The result is that numerous of our events that occur in the same second (at different milliseconds) and considered to have occurred simultaneously, resulting in inconsistent results for the latest command.

Tags (1)
0 Karma

niketnilay
Legend

If your data itself does not have granularity till milliseconds you will end up getting .000 in your visualization. Do you really want to show milliseconds when it is not present?

You can choose Axis Time Format and Tool Tip Time Format as SECONDS instead of SUBSECONDS, to get your timeline visualization in sync with your data, otherwise resort to @woodcock 's solution of configuring your inputs.conf/props.conf to receive ms in _time.

<option name="timeline_app.timeline.axisTimeFormat">SECONDS</option>
<option name="timeline_app.timeline.tooltipTimeFormat">SECONDS</option>

PS: You can do the same by Editing Timeline Chart in UI as well by setting Time format for Axis labels and Tooltips to HH:MM:SS

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

robertlynch2020
Motivator

Thanks. I got this working by using a nnormal search and no tstats. Cheers.

0 Karma

woodcock
Esteemed Legend

You cannot force something to be there that is not. You need to make sure that the original events contain millisecond granularity. Do they? If they do, then you need to make sure that Splunk inputs.conf is properly configured to receive ms into _time so that the events in Splunk have ms granularity. Have you? Even so, it is possible that tstats does not support ms, but I think this is unlikely, given that this works for timechart and other commands.

View solution in original post

0 Karma

robertlynch2020
Motivator

Cheers. Tstats does not have milliseconds so this was the issue. I used a basic search and i got it out. Cheers.

Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!