Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Accelerated data model not storing milliseconds in _time

payal23
Path Finder
‎08-07-2019 10:14 PM

I am not able to capture milliseconds in accelerated data model.

Query is like :

|tstats max(_time) as Start min(_time) as End from datamodel=One.A where nodename=B.A by A.Id|eval duration=End-Start

Raw logs are having milliseconds but the above query is not having the milliseconds.

Thanks
PAyal

Reply

BernardEAI
Communicator
‎04-28-2021 05:24 AM

I  am experiencing the same problem. When searching an accelerated data model, the miliseconds of the _time field is lost (when using a tstats latest search). This is a problem, since the miliseconds are needed to accurately determine the latest event!

I describe the problem in more detail in a question I posted here: 

https://community.splunk.com/t5/Splunk-Search/Data-model-time-field-format/m-p/549121#M155777 

Tags (1)
0 Karma
Reply

Sukisen1981
Champion
‎08-26-2019 12:12 AM

hi @payal23
What happens if you try this

|tstats max(_time) as Start min(_time) as End from datamodel=One.A where nodename=B.A by A.Id| eval newstrt=strftime(Start,"%Y-%m-%d %H:%M:%S:%3N %p")| eval newend=strftime(End,"%Y-%m-%d %H:%M:%S:%3N %p")

Can you see milliseconds now?

0 Karma
Reply

payal23
Path Finder
‎09-02-2019 07:37 PM

Hi Suki, @Sukisen1981

if i search for last 15 - 20 mins milliseconds are displaying.. But if i search any older time than this.. then it is not displaying milliseconds.

My question is that while saving the data in the indexer (accelerated data model) will it not save the milliseconds?

0 Karma
Reply

jawaharas
Motivator
‎08-08-2019 12:06 AM

May I know the name of datamodel you are using?

Ideally below query return _time in epoch format. What you get?

|tstats max(_time) as Start min(_time) as End from datamodel=One
0 Karma
Reply

payal23
Path Finder
‎08-08-2019 01:00 AM

yes. In epoch format. But that value does not have milliseconds.

So, in raw logs time is 5:49:08.715 PM and the tstats epoch converted time has 1565250548.

0 Karma
Reply

jawaharas
Motivator
‎08-08-2019 08:39 PM

I hope you can see the milliseconds when you run below query.

| from datamodel One
| table _time
0 Karma
Reply

payal23
Path Finder
‎08-21-2019 10:27 PM

yes I am able to see here.. but if i do max or min of the time.. millisecond is not printing

0 Karma
Reply

jawaharas
Motivator
‎08-25-2019 09:59 PM

I can't reproduce the issue with below query on 'Authentication' datamodel.

|tstats max(_time) as Start min(_time) as End from datamodel=One

Is yours custom datamodel? if it's standard one, can you share the datamodel name?

0 Karma
Reply

payal23
Path Finder
‎09-02-2019 07:39 PM

@jawaharas It's a custom data model. Can you try accelerating that data model and look for milliseconds?

0 Karma
Reply

jawaharas
Motivator
‎09-02-2019 10:30 PM

We can see milliseconds in accelerated data model.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...