Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract timestamp in Epoch (microseconds) to date

alextsui
Path Finder
‎05-11-2011 12:07 AM

Hi, I need Splunk to recognize the timestamps down to microseconds.

A sample event is listed below:

1305096676.192356,64.127.105.40,10.1.81.74,

Splunk 4.1.8 automatically(without any extra configuration) recognizes the epoch time down to the milliseconds. But I need the timestamp to be extracted to the microseconds.

I have tried using props.conf with the following configuration:

[test]
TIME_PREFIX = ^
TIME_FORMAT = %s.%6N
MAX_TIMESTAMP_LOOKAHEAD = 17

But didn’t work.

Any suggestion?

Thanks.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-11-2011 09:49 AM

I think this is a display formatting thing more than anything else. I took your config and sample data and loaded it up. When I search on it, I do only see the time out to 3 decimals. I did a slightly different search, however, and found that Splunk is storing all 6 decimals, just truncating at display time.

sourcetype=test | eval foo=_time | table _time, foo

If you run this search, you'll see the the results formatted as

5/11/11 1:51:16.192 AM  1305096676.192356

Which suggests that the time is being extracted/stored with full 6-decimal accuracy, but only being displayed with 3. I don't know the explanation for this behavior or if it can be changed - but it would be a good follow on question.

Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...