Archive

can i configure milliseconds in splunk for the incomin events ??

Motivator

HI.

In my events i have the timestamp like HH:MM:SS seconds..So splunk is defaultly taking this timestamp.but i need to have the milliseconds also to do some stats. How can configure setttings in splunk in such a way that when ever each event comes to splunk...i need to show the time in current system time i.e time at which event came to splunk including the milliseconds in the time...

My Sample Logg event is as follows ..

**

Jul 25 11:52:03 10.230.189.141 Jul 25 11:52:04 System: 0199B1 X0000000 0C00D D Configuration export a succeeded

**

Please help asap.

Thanx

Tags (1)
0 Karma
1 Solution

Motivator

We are looking for an answer to this too at my client this week. Basically, how to give an enterprise application more precision.

The best option is to have the app itself write in millisecond precision. This eliminates all differences due to network lag, indexing lag (Splunk has buffers, so events may not be indexed instantly) etc.

(ANY other type of sub-second statistics, by definition, are not going to be fully accurate! ...due to the amount of time the event takes to get out of the application, across the network, and in to the Splunk server. So you should question whether or not it is even worth giving this type of stat out to your user, because their expectation could be set on something inherently inaccurate.)

Since this does not seem to be an option until a further release of the application in question, we are going to try to eliminate as many Splunk variables as possible by using a syslog server (syslog-ng) to accept the syslog traffic and write a millisecond timestamp as to when it was received.

It seems syslog-ng's "frac_digits" option can be used, either in a global options{} statement, or per "destination" - such as the file Splunk will monitor.

View solution in original post

Motivator

We are looking for an answer to this too at my client this week. Basically, how to give an enterprise application more precision.

The best option is to have the app itself write in millisecond precision. This eliminates all differences due to network lag, indexing lag (Splunk has buffers, so events may not be indexed instantly) etc.

(ANY other type of sub-second statistics, by definition, are not going to be fully accurate! ...due to the amount of time the event takes to get out of the application, across the network, and in to the Splunk server. So you should question whether or not it is even worth giving this type of stat out to your user, because their expectation could be set on something inherently inaccurate.)

Since this does not seem to be an option until a further release of the application in question, we are going to try to eliminate as many Splunk variables as possible by using a syslog server (syslog-ng) to accept the syslog traffic and write a millisecond timestamp as to when it was received.

It seems syslog-ng's "frac_digits" option can be used, either in a global options{} statement, or per "destination" - such as the file Splunk will monitor.

View solution in original post

Motivator

Thanx jason..It Worked 🙂

0 Karma

Ultra Champion

Maybe this can help you along,

Each event has a hidden field called _indextime, which is the local time of the indexer at the time the event was indexed. I believe(?) that unfortunately it cannot be accessed directly, say like in a table or chart, but you can eval xxx=_indextime and use xxx for presentation purposes.

For a little more info, see:
[http://splunk-base.splunk.com/answers/171/using-_indextime-to-specify-time-range][1]

Hope this helps,

Kristian

0 Karma

Ultra Champion

Aah, sorry about that - wasn't aware of those limitations at the time of writing. I don't know if Splunk can be configured to store the _indextime with sub-seconds, but I doubt it.

/k

0 Karma

Motivator

splunk is not taking the time format in milliseconds...ie i am unable to get the milliseconds value for my time .when i use the _indextime... 😞

0 Karma

Motivator

even i use the _indextime..i am gettin the milliseconds as 0 . i have used like this eval Time=strftime(_indextime,"%H:%M:%S:%6N") . but this not workin ?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!