go's time.RFC3339Nano format

framirez_enova · ‎09-11-2020

Anyone having issues with nano second formatting from JSON logs. Currently it seems like times get rounded up or something.

What's sent: 2020-09-11T10:23:44.30373164-05:00
What shows: 9/11/20 10:23:44.000 AM

If you have/experienced this issue, how are you coping with or how did you solved it?

framirez_enova · ‎09-15-2020

Interesting on the digit. Will keep that in mind. I also reached out to splunk support and they advise to try this in the props.conf file for the source:

%Y-%m-%dT%H:%M:%S.%9N%:z

isoutamo · ‎09-15-2020

%F <=> %Y-%m-%d
%T <=> %H:%M:%S

Please check your source is there eight or nine digits and use based on that %8N or %9N otherwise this didn't work.

isoutamo · ‎09-11-2020

I think that _time field can show it only ms not with more digits. If you want see all then you must convert it to anther field e.g. eval fullTime = strftime(_time, “%FT%T.%8N%:z”)
You have only 8 digits on your example even ns have 9, maybe this can also affect here?

go's time.RFC3339Nano format

field extraction

JSON

time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation

go's time.RFC3339Nano format

field extraction

JSON

time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...