Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

milliseconds in _time

dinisco
Explorer
‎03-28-2011 11:21 PM

Splunk is picking up a csv file that looks like this:

SP A,03/27/11 13:10:00,10,4,5,6
SP A,03/27/11 13:20:00,4,4,2,0
SP A,03/27/11 13:30:00,1,1,5,4
...
SP B,03/27/11 13:10:00,15,2,3,6
SP B,03/27/11 13:20:00,1,8,5,0
SP B,03/27/11 13:30:00,2,2,3,4

My assumption was that I would be able to do this:

| stats sum(column3) as total_column3 by _time |timechart avg(total_column3)

and end up with 25,5,3. But splunk is adding milliseconds to _time resulting in unique times/events:

3/27/11 1:10:00.400 PM  SP A,03/27/11 13:10:00,10,4,5,6
...
3/27/11 1:10:00.247 PM  SP B,03/27/11 13:10:00,15,2,3,6

I could use the date stamp column from the csv:

| stats sum(column3) as total_column3 by column2 |chart avg(total_column3) by column2

but I want to be able to use timechart and adjust span so I don't always have to use 10 minute intervals.

Should I be importing the data differently or is there a way around this?

Tags (2)
0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎03-29-2011 12:04 AM

I don't know if it's mis-parsing the data and getting milliseconds, but that's a separate issue. You can fix that by providing explicit TIME_FORMAT and TIME_PREFIX to match your data.

As for reporting, however, you should simply be able to do:

| timechart span=1s sum(column3)

or use whatever time span you like.

Also, I'm not sure why you'd need stats first. If this is a simplification, and you do need stats, you can force a span onto the with:

... | bucket span=10m _time | stats sum(column3) as total_colum3 by _time | ...

So whether or not the data has milliseconds, you should be able to adjust for it.

0 Karma
Reply

dinisco
Explorer
‎03-29-2011 10:12 PM

Thanks again, as always. The bucket span option did the trick.

The reason I'm using stats to sum is because I want to sum column3 for SPA and SPB then take an average over time. If I used sum in timechart it would add column3 and the data would be misrepresented whenever timechart span exceeded 10 mins.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...