Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Accelerated data model not storing milliseconds in _time

payal23
Path Finder
‎08-07-2019 10:14 PM

I am not able to capture milliseconds in accelerated data model.

Query is like :

|tstats max(_time) as Start min(_time) as End from datamodel=One.A where nodename=B.A by A.Id|eval duration=End-Start

Raw logs are having milliseconds but the above query is not having the milliseconds.

Thanks
PAyal

Reply

BernardEAI
Communicator
‎04-28-2021 05:24 AM

I  am experiencing the same problem. When searching an accelerated data model, the miliseconds of the _time field is lost (when using a tstats latest search). This is a problem, since the miliseconds are needed to accurately determine the latest event!

I describe the problem in more detail in a question I posted here: 

https://community.splunk.com/t5/Splunk-Search/Data-model-time-field-format/m-p/549121#M155777 

Tags (1)
0 Karma
Reply

Sukisen1981
Champion
‎08-26-2019 12:12 AM

hi @payal23
What happens if you try this

|tstats max(_time) as Start min(_time) as End from datamodel=One.A where nodename=B.A by A.Id| eval newstrt=strftime(Start,"%Y-%m-%d %H:%M:%S:%3N %p")| eval newend=strftime(End,"%Y-%m-%d %H:%M:%S:%3N %p")

Can you see milliseconds now?

0 Karma
Reply

payal23
Path Finder
‎09-02-2019 07:37 PM

Hi Suki, @Sukisen1981

if i search for last 15 - 20 mins milliseconds are displaying.. But if i search any older time than this.. then it is not displaying milliseconds.

My question is that while saving the data in the indexer (accelerated data model) will it not save the milliseconds?

0 Karma
Reply

jawaharas
Motivator
‎08-08-2019 12:06 AM

May I know the name of datamodel you are using?

Ideally below query return _time in epoch format. What you get?

|tstats max(_time) as Start min(_time) as End from datamodel=One
0 Karma
Reply

payal23
Path Finder
‎08-08-2019 01:00 AM

yes. In epoch format. But that value does not have milliseconds.

So, in raw logs time is 5:49:08.715 PM and the tstats epoch converted time has 1565250548.

0 Karma
Reply

jawaharas
Motivator
‎08-08-2019 08:39 PM

I hope you can see the milliseconds when you run below query.

| from datamodel One
| table _time
0 Karma
Reply

payal23
Path Finder
‎08-21-2019 10:27 PM

yes I am able to see here.. but if i do max or min of the time.. millisecond is not printing

0 Karma
Reply

jawaharas
Motivator
‎08-25-2019 09:59 PM

I can't reproduce the issue with below query on 'Authentication' datamodel.

|tstats max(_time) as Start min(_time) as End from datamodel=One

Is yours custom datamodel? if it's standard one, can you share the datamodel name?

0 Karma
Reply

payal23
Path Finder
‎09-02-2019 07:39 PM

@jawaharas It's a custom data model. Can you try accelerating that data model and look for milliseconds?

0 Karma
Reply

jawaharas
Motivator
‎09-02-2019 10:30 PM

We can see milliseconds in accelerated data model.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...