Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

subseconds forwarded via LightForwarder not recognized

Jaci
Splunk Employee
Splunk Employee
‎08-03-2010 03:43 PM

I have a log event with a timestamp that includes milliseconds: 2010-07-30 11:16:43,357

If the log is loaded into Splunk on the indexer the subseconds get recognized.

If the log is forwarded via LightForwarder, subseconds are not recognized:

7/30/10 11:16:43,000 AM

How can I correct this?

Thanks in advance.

Tags (1)
Reply

jhedgpeth
Path Finder
‎12-21-2010 02:49 PM

Have you tried setting the time format for that sourcetype explicitly in props.conf? I think the TIME_FORMAT would be %m/%d/%y %H:%M:%S,%3N

Not sure, but there may be a difference in how Splunk examines your data when coming via lightforwarder, and the props.conf setting should force the same behavior.

Reply

meno
Path Finder
‎08-24-2010 06:06 AM

We are sure there are no other rules on the LightForwarder. We also deleted all files under .../apps/learned and .../etc/users.

Subseconds still are not recognized from ALL sources.

Any more ideas how to debug / loglevel to make timestamp recognition visible ?

Thanks for helping, Meno

0 Karma
Reply

Stephen_Sorkin
Splunk Employee
Splunk Employee
‎08-17-2010 09:57 PM

Is this the case for all data or just from this source? I've tested a 4.1.x instance with the logs in index=_internal and subseconds are correctly parsed and rendered. Are there custom timestamping rules on the forwarder?

Reply
Get Updates on the Splunk Community!

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

Unlock Instant Security Insights from Amazon S3 with Splunk Cloud — Try Federated ...

Availability: Must be on Splunk Cloud Platform version 10.1.2507.x to view the free trial banner. If you are ...