Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract timestamp in Epoch (microseconds) to date

alextsui
Path Finder
‎05-11-2011 12:07 AM

Hi, I need Splunk to recognize the timestamps down to microseconds.

A sample event is listed below:

1305096676.192356,64.127.105.40,10.1.81.74,

Splunk 4.1.8 automatically(without any extra configuration) recognizes the epoch time down to the milliseconds. But I need the timestamp to be extracted to the microseconds.

I have tried using props.conf with the following configuration:

[test]
TIME_PREFIX = ^
TIME_FORMAT = %s.%6N
MAX_TIMESTAMP_LOOKAHEAD = 17

But didn’t work.

Any suggestion?

Thanks.

Tags (1)
0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-11-2011 09:49 AM

I think this is a display formatting thing more than anything else. I took your config and sample data and loaded it up. When I search on it, I do only see the time out to 3 decimals. I did a slightly different search, however, and found that Splunk is storing all 6 decimals, just truncating at display time.

sourcetype=test | eval foo=_time | table _time, foo

If you run this search, you'll see the the results formatted as

5/11/11 1:51:16.192 AM  1305096676.192356

Which suggests that the time is being extracted/stored with full 6-decimal accuracy, but only being displayed with 3. I don't know the explanation for this behavior or if it can be changed - but it would be a good follow on question.

Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...