Solved: sub second event sorting

briang67 · ‎09-24-2010

We have a log file which contains a 7 digit second timestamp like the below: 08:30:00.2124216

We periodically need to compare sub second times between events, but it looks like the splunk event _time only includes the first 3 second digits like: 08:30:00.212

the problem is when we do a sort by _time, we frequently see events that are out of order like the following: 08:30:00.2124216 08:30:00.2124215 (this should be the reverse)

Anyone know of a way to handle this? Can splunk be configured to recognize a more granular time stamp?

dwaddle · ‎09-24-2010

I suggest you check out the TIME_FORMAT option. I had a similar question some time ago:

http://answers.splunk.com/questions/1946/time-format-and-subseconds

View solution in original post

dwaddle · ‎09-24-2010

I suggest you check out the TIME_FORMAT option. I had a similar question some time ago:

http://answers.splunk.com/questions/1946/time-format-and-subseconds

gkanapathy · ‎09-25-2010

You use %7N to capture 7 digits of subseconds.

sub second event sorting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation