Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a best practice for using a time dimension with _metrics Data?

jordanking1992
Path Finder
‎03-22-2022 01:23 PM

Hello,

Working with a team that is sending some custom paramters via metrics data. They are trying to include a dimension that contains a data, but Splunk is not accepting of the date.

release:1,component:test,team:TestTeam,repo_branch:master,version:3,eventTimestamp:2022-03-22T14:46:41.048881800

My guess is that Splunk doesn't like the colon's in the timestamp but a bit unsure. The team wants to be able to send time within the metrics for later analysis using eval commands after indexing.

Is there a best practice for including a time dimension/value within metrics data? (i.e epoch/UNIX time)

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎03-22-2022 11:43 PM

You should be able to configure the timestamp recognition for your sourcetype to match the format used in your messages

https://docs.splunk.com/Documentation/Splunk/8.2.5/Data/Configuretimestamprecognition 

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...