Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

subseconds forwarded via LightForwarder not recognized

Jaci
Splunk Employee
Splunk Employee
‎08-03-2010 03:43 PM

I have a log event with a timestamp that includes milliseconds: 2010-07-30 11:16:43,357

If the log is loaded into Splunk on the indexer the subseconds get recognized.

If the log is forwarded via LightForwarder, subseconds are not recognized:

7/30/10 11:16:43,000 AM

How can I correct this?

Thanks in advance.

Tags (1)
Reply

jhedgpeth
Path Finder
‎12-21-2010 02:49 PM

Have you tried setting the time format for that sourcetype explicitly in props.conf? I think the TIME_FORMAT would be %m/%d/%y %H:%M:%S,%3N

Not sure, but there may be a difference in how Splunk examines your data when coming via lightforwarder, and the props.conf setting should force the same behavior.

Reply

meno
Path Finder
‎08-24-2010 06:06 AM

We are sure there are no other rules on the LightForwarder. We also deleted all files under .../apps/learned and .../etc/users.

Subseconds still are not recognized from ALL sources.

Any more ideas how to debug / loglevel to make timestamp recognition visible ?

Thanks for helping, Meno

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-17-2010 09:57 PM

Is this the case for all data or just from this source? I've tested a 4.1.x instance with the logs in index=_internal and subseconds are correctly parsed and rendered. Are there custom timestamping rules on the forwarder?

Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...