I am not able to capture milliseconds in accelerated data model.
Query is like :
|tstats max(_time) as Start min(_time) as End from datamodel=One.A where nodename=B.A by A.Id|eval duration=End-Start
Raw logs are having milliseconds but the above query is not having the milliseconds.
Thanks
PAyal
I am experiencing the same problem. When searching an accelerated data model, the miliseconds of the _time field is lost (when using a tstats latest search). This is a problem, since the miliseconds are needed to accurately determine the latest event!
I describe the problem in more detail in a question I posted here:
https://community.splunk.com/t5/Splunk-Search/Data-model-time-field-format/m-p/549121#M155777
hi @payal23
What happens if you try this
|tstats max(_time) as Start min(_time) as End from datamodel=One.A where nodename=B.A by A.Id| eval newstrt=strftime(Start,"%Y-%m-%d %H:%M:%S:%3N %p")| eval newend=strftime(End,"%Y-%m-%d %H:%M:%S:%3N %p")
Can you see milliseconds now?
Hi Suki, @Sukisen1981
if i search for last 15 - 20 mins milliseconds are displaying.. But if i search any older time than this.. then it is not displaying milliseconds.
My question is that while saving the data in the indexer (accelerated data model) will it not save the milliseconds?
May I know the name of datamodel you are using?
Ideally below query return _time
in epoch format. What you get?
|tstats max(_time) as Start min(_time) as End from datamodel=One
yes. In epoch format. But that value does not have milliseconds.
So, in raw logs time is 5:49:08.715 PM and the tstats epoch converted time has 1565250548.
I hope you can see the milliseconds when you run below query.
| from datamodel One
| table _time
yes I am able to see here.. but if i do max or min of the time.. millisecond is not printing
I can't reproduce the issue with below query on 'Authentication' datamodel.
|tstats max(_time) as Start min(_time) as End from datamodel=One
Is yours custom datamodel? if it's standard one, can you share the datamodel name?
@jawaharas It's a custom data model. Can you try accelerating that data model and look for milliseconds?
We can see milliseconds in accelerated data model.