Solved: Re: sub second event sorting

briang67 · ‎09-24-2010

We have a log file which contains a 7 digit second timestamp like the below: 08:30:00.2124216

We periodically need to compare sub second times between events, but it looks like the splunk event _time only includes the first 3 second digits like: 08:30:00.212

the problem is when we do a sort by _time, we frequently see events that are out of order like the following: 08:30:00.2124216 08:30:00.2124215 (this should be the reverse)

Anyone know of a way to handle this? Can splunk be configured to recognize a more granular time stamp?

dwaddle · ‎09-24-2010

I suggest you check out the TIME_FORMAT option. I had a similar question some time ago:

http://answers.splunk.com/questions/1946/time-format-and-subseconds

View solution in original post

dwaddle · ‎09-24-2010

I suggest you check out the TIME_FORMAT option. I had a similar question some time ago:

http://answers.splunk.com/questions/1946/time-format-and-subseconds

gkanapathy · ‎09-25-2010

You use %7N to capture 7 digits of subseconds.

sub second event sorting

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education

Join the Conversation

sub second event sorting

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

New Year. New Skills. New Course Releases from Splunk Education