Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why isn't timestamp extraction showing milliseconds?

wuming79
Path Finder
‎07-14-2017 12:26 AM

Hi,

I managed to make the time format from Epoch to human readable but I can't really get the millisecond out.
Example timeStamp":1495447178314
From Splunk it converted to "5/22/17 5:59:38.000 PM" but from https://www.epochconverter.com/, it is showing
May 22, 2017 5:59:38.314 PM

Reference document: http://docs.splunk.com/Documentation/Splunk/6.0/Data/Configuretimestamprecognition, .%3N should show the milliseconds.

0 Karma
Reply

woodcock
Esteemed Legend
‎04-12-2023 08:35 AM

| makeresults
| eval timeint="1495447178314"
| eval time=strptime(timeint,"%s%3N")
| eval timestr=strftime(time, "%F %T.%3N %Z")

Reply

PickleRick
SplunkTrust
SplunkTrust
‎04-04-2023 03:16 PM 
| makeresults 
| eval time=_time
| eval timee=time*1000+315
| eval timeee=strptime(timee,"%s%3N")

 

0 Karma
Reply

wuming79
Path Finder
‎07-17-2017 12:53 AM

Hi harishalipaka,

using the simple syntax, I keep getting "12/31/99 23:59:59"

alt text

Preview file
16 KB
0 Karma
Reply

niketn
Legend
‎07-14-2017 06:09 AM

Epoch time should be something like the following: 1495427378.314000, with decimal before millisecond. You can use %3N to display milliseconds part.

Following is the run anywhere search.

| makeresults
| eval timeStamp=strptime("05/22/17 09:59:38.314","%m/%d/%y %H:%M:%S.%3N")
| eval stringStamp=strftime(timeStamp,"%m/%d/%y %H:%M:%S.%3N")

Documentation for various time format variables: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
PS: 1st eval is to generate epoch timestamp. I have used second eval just to generate a new field to display time as string. You should ideally use fieldformat to retain time as epoch while presenting the same as string time which is human readable.

 | fieldformat  timeStamp=strftime(timeStamp,"%m/%d/%y %H:%M:%S.%3N")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

wuming79
Path Finder
‎07-17-2017 12:54 AM

Hi, does it work on 1495427378314000 without the decimal? My log timestamp was displayed without the decimal and I keep getting the time being converted as "12/31/99 23:59:59"

Reply

mmcmahon
Engager
‎04-04-2023 01:01 PM

This ended up working for me:

| eval secs=substr(timestamp,0,10)
| eval msecs=substr(timestamp,11,13)
| strcat secs "." msecs "000" epoch_fmt
| eval datetime=strftime(epoch_fmt,"%Y-%m-%d %H:%M:%S.%3N")

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...