Solved: Aggregate timestamp from WebLogic

vanaepi · ‎05-24-2013

This is how my WebLogic logs look :

<TimestampUntilSeconds> <Fixed Number of Other tags here> <1369087465001> More data here

As you can see, they have a timestamp in the beginning, then they have some other information , then there's the time in milliseconds since 1970 and then there's the rest of the log.

Now, as expected, Splunk takes the first timestamp and ignores what appears to be a random number. But the timestamp is not accurate enough for me, so I would like to store the last three digits of the number as the milliseconds. How would I go about that?

martin_mueller · ‎05-24-2013

There are several tools to use from http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition, most importantly in your case TIMEFORMAT to tell Splunk that it's looking for a unix timestamp, TIMEPREFIX to tell Splunk where to look, and MAXTIMESTAMPLOOKAHEAD to tell Splunk how far to keep looking after that.

View solution in original post

martin_mueller · ‎05-24-2013

There are several tools to use from http://docs.splunk.com/Documentation/Splunk/latest/Data/Configuretimestamprecognition, most importantly in your case TIMEFORMAT to tell Splunk that it's looking for a unix timestamp, TIMEPREFIX to tell Splunk where to look, and MAXTIMESTAMPLOOKAHEAD to tell Splunk how far to keep looking after that.

View solution in original post

martin_mueller · ‎05-27-2013

Based on the old definitions yes, but you can tell Splunk to read milliseconds using %3N. See the above link (minus the comma) for reference.

vanaepi · ‎05-27-2013

Isn't a UNIX timestamp per definition accurate on the second? I need accuracy on the millisecond.