Splunk Search

can i configure milliseconds in splunk for the incomin events ??

rakesh_498115
Motivator

HI.

In my events i have the timestamp like HH:MM:SS seconds..So splunk is defaultly taking this timestamp.but i need to have the milliseconds also to do some stats. How can configure setttings in splunk in such a way that when ever each event comes to splunk...i need to show the time in current system time i.e time at which event came to splunk including the milliseconds in the time...

My Sample Logg event is as follows ..

**

Jul 25 11:52:03 10.230.189.141 Jul 25 11:52:04 System: 0199B1 X0000000 0C00D D Configuration export a succeeded

**

Please help asap.

Thanx

Tags (1)
0 Karma
1 Solution

Jason
Motivator

We are looking for an answer to this too at my client this week. Basically, how to give an enterprise application more precision.

The best option is to have the app itself write in millisecond precision. This eliminates all differences due to network lag, indexing lag (Splunk has buffers, so events may not be indexed instantly) etc.

(ANY other type of sub-second statistics, by definition, are not going to be fully accurate! ...due to the amount of time the event takes to get out of the application, across the network, and in to the Splunk server. So you should question whether or not it is even worth giving this type of stat out to your user, because their expectation could be set on something inherently inaccurate.)

Since this does not seem to be an option until a further release of the application in question, we are going to try to eliminate as many Splunk variables as possible by using a syslog server (syslog-ng) to accept the syslog traffic and write a millisecond timestamp as to when it was received.

It seems syslog-ng's "frac_digits" option can be used, either in a global options{} statement, or per "destination" - such as the file Splunk will monitor.

View solution in original post

Jason
Motivator

We are looking for an answer to this too at my client this week. Basically, how to give an enterprise application more precision.

The best option is to have the app itself write in millisecond precision. This eliminates all differences due to network lag, indexing lag (Splunk has buffers, so events may not be indexed instantly) etc.

(ANY other type of sub-second statistics, by definition, are not going to be fully accurate! ...due to the amount of time the event takes to get out of the application, across the network, and in to the Splunk server. So you should question whether or not it is even worth giving this type of stat out to your user, because their expectation could be set on something inherently inaccurate.)

Since this does not seem to be an option until a further release of the application in question, we are going to try to eliminate as many Splunk variables as possible by using a syslog server (syslog-ng) to accept the syslog traffic and write a millisecond timestamp as to when it was received.

It seems syslog-ng's "frac_digits" option can be used, either in a global options{} statement, or per "destination" - such as the file Splunk will monitor.

rakesh_498115
Motivator

Thanx jason..It Worked 🙂

0 Karma

kristian_kolb
Ultra Champion

Maybe this can help you along,

Each event has a hidden field called _indextime, which is the local time of the indexer at the time the event was indexed. I believe(?) that unfortunately it cannot be accessed directly, say like in a table or chart, but you can eval xxx=_indextime and use xxx for presentation purposes.

For a little more info, see:
[http://splunk-base.splunk.com/answers/171/using-_indextime-to-specify-time-range][1]

Hope this helps,

Kristian

0 Karma

kristian_kolb
Ultra Champion

Aah, sorry about that - wasn't aware of those limitations at the time of writing. I don't know if Splunk can be configured to store the _indextime with sub-seconds, but I doubt it.

/k

0 Karma

rakesh_498115
Motivator

splunk is not taking the time format in milliseconds...ie i am unable to get the milliseconds value for my time .when i use the _indextime... 😞

0 Karma

rakesh_498115
Motivator

even i use the _indextime..i am gettin the milliseconds as 0 . i have used like this eval Time=strftime(_indextime,"%H:%M:%S:%6N") . but this not workin ?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...