Time parsing working correctly but not able to see...

izzie123 · ‎02-15-2024

Hello

I have to work on a parser which has the time format like this : "time: 2024-02-15T11:40:19.843185438Z"

It is json data so I have created a logic like below to extract the time.

TIME_PREFIX = \"time\"\:\s*\"

TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%9Q%Z

Although, I see no errors while uploading the test data, in the time field I can see values upto 3 milliseconds only, for eg : 2/15/24
11:40:19.843 AM

Is this the right way or Splunk does show the nanoseconds values too?

If it does, what is it that is missing in my logic to view the same?

Kindly help.

Regards.

ITWhisperer · ‎02-15-2024

There is a default for showing the _time field. You can override this. For exmple

| fieldformat _time=strftime(_time,"%Y-%m-%dT%H:%M:%S.%9Q%Z")

izzie123 · ‎02-15-2024

@ITWhisperer Thanks for your reply, this can be done inline but how do we ensure we have the right time extraction from the data? Is it possible to set the _time to show nanoseconds while creation of the parser?

Also, with the command that you gave I cannot see the right results, below is the result I am getting.

NaN/NaN/aN
NaN:NaN:NaN.000 AM

ITWhisperer · ‎02-15-2024

Your graphic was an event view, what do you get with a statistics view (you might need a table command to show the various fields)?

What was the full search which gave you the NaN result?

izzie123 · ‎02-15-2024

@ITWhisperer

index="test1"
| fieldformat _time=strftime(_time,"%Y-%m-%dT%H:%M:%S.Z")

izzie123 · ‎02-15-2024

@ITWhisperer however, I need to create a parser which will parse the events which have the timestamp like

"time: 2024-02-15T11:40:26.498494245Z"

I read on the community that Splunk does not support nanoseconds. so, if I put in the microseconds logic(%Y-%m-%dT%H:%M:%S.%6Q%Z), will I get the values till microseconds?

ITWhisperer · ‎02-15-2024

Correct, but you could reparse the raw event data to extract the nanoseconds and do the extra maths however, the strptime() and strftime() functions don't support precisions beyond microseconds.

izzie123 · ‎02-16-2024

@ITWhisperer I just want to be sure that we are extracting the timestamp correctly, so my doubt is that for an event which has timestamp as 2024-02-16T11:46:02.9895330Z, we have created the time format as %Y-%m-%dT%H:%M:%S.%9N%Z but the _time field shows values like 2/16/24
11:46:02.989 AM,

So is this correct?

Thank you so much for the help.

Regards.

PickleRick · ‎02-16-2024

Supposedly Splunk can support such time resolution but I haven't found any official info on that. You can always test it by defining time parsing rule with nanosecond precission and ingesting non-monotonically timed events differing at - for example - nanosecond level.

If you can later do your search sorted by _time (regardless of it's the default reverse chronological order or an explicit sort command), that would mean it works properly. Otherwise it would mean that either Splunk doesn't store time with such precision or at least doesn't use it for practical purposes.

ITWhisperer · ‎02-16-2024

Yes, this looks correct

Time parsing working correctly but not able to see nanoseconds in the results

JSON

Linux

props.conf

source

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!