Getting Data In

Aggregate timestamp from WebLogic

vanaepi
Explorer

This is how my WebLogic logs look :

<TimestampUntilSeconds> <Fixed Number of Other tags here> <1369087465001> More data here

As you can see, they have a timestamp in the beginning, then they have some other information , then there's the time in milliseconds since 1970 and then there's the rest of the log.

Now, as expected, Splunk takes the first timestamp and ignores what appears to be a random number. But the timestamp is not accurate enough for me, so I would like to store the last three digits of the number as the milliseconds. How would I go about that?

Tags (2)
0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

There are several tools to use from http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition, most importantly in your case TIME_FORMAT to tell Splunk that it's looking for a unix timestamp, TIME_PREFIX to tell Splunk where to look, and MAX_TIMESTAMP_LOOKAHEAD to tell Splunk how far to keep looking after that.

View solution in original post

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

There are several tools to use from http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition, most importantly in your case TIME_FORMAT to tell Splunk that it's looking for a unix timestamp, TIME_PREFIX to tell Splunk where to look, and MAX_TIMESTAMP_LOOKAHEAD to tell Splunk how far to keep looking after that.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Based on the old definitions yes, but you can tell Splunk to read milliseconds using %3N. See the above link (minus the comma) for reference.

0 Karma

vanaepi
Explorer

Isn't a UNIX timestamp per definition accurate on the second? I need accuracy on the millisecond.

0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...