Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

unable to extract timestamp till nano seconds

ips_mandar
Builder
‎09-15-2020 10:33 AM

Hi
I am trying to extract timestamp including nanoseconds but I am able to extract only 7 digits of nanoseconds though I used %9N in TIME_FORMAT.
Below is my sample event-

 

 

10,11/03/20 04:00:00.00000010,11/03/20,04:00:00,Zx: 6037,04:00:00,48d4c21c3014850838840a460424c05b20412128053ce6074720006e00f1ff5500000000000000,Mod=2,AckReq=0,RtBits=0,MsgSeq=35,OnRte=1,Id=46,VId=6037

 

 

Below is my props.conf -

 

 

[abc_logs_st]
LINE_BREAKER = ([\r\n]+)
SHOULD_LINEMERGE = false
NO_BINARY_CHECK = true
category = Custom
pulldown_type = 1
disabled = false
TIME_PREFIX = ^\d+\,
MAX_TIMESTAMP_LOOKAHEAD = 30
TIME_FORMAT = %m/%d/%y %H:%M:%S.%9N

 

 

Why Splunk is considering only 7 digits after decimal..Is this bug in Splunk?


 Thanks.

Labels (1)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎09-15-2020 11:05 AM

The example event has only 8 digits after the decimal.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ips_mandar
Builder
‎09-15-2020 10:16 PM

@richgalloway  No this won't help.
Even if I include 9 digits after decimal still splunk was able to extract 7 digits only .
Is this bug with Splunk?

0 Karma
Reply
Get Updates on the Splunk Community!

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...

Security Newsletter Updates | March 2023

 March 2023 | Check out the latest and greatestUnify Your Security Operations with Splunk Mission Control The ...