Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

[Beginner] timestamp in microseconds since boot

HenryVIII
New Member
‎11-02-2012 06:33 AM

Just downloaded Splunk on my laptop and am trying it out on a log file.
I am at: Home » Add data » Files & directories » Data preview

Each line in the log looks like this:
EVENT: code_point Label: 0x12345678 Handle: 0x98760abc STAMP: 784523000.

The timestamp is at the end (and ends with a dot), and the value is "microseconds since boot".

I can't figure out the right combination of preface and strptime patterns to get Splunk to parse my timestamps. Suggestions?

Tags (1)
0 Karma
Reply

sowings
Splunk Employee
Splunk Employee
‎11-02-2012 06:50 AM

I suggest that since "boot time" is a moving target, there will be no way for Splunk to come up with an absolute time stamp for that event. In this instance, Splunk will default to "now" for the event time for that log line. You can still search for the value of the STAMP field, and obtain other useful insights, but knowing exactly when in time that event occurred may not be possible.

Reply

sowings
Splunk Employee
Splunk Employee
‎11-02-2012 09:59 AM

It's not recognizing time stamps because to its way of thinking there aren't any. You mentioned that you're indexing an existing log file. In this instance, yes, you're right that Splunk will set the event time to be the last modification time of the file. If you're monitoring a live (i.e. changing) file, if Splunk can't find a full time stamp for the event, it will use "now" as the event time of that new line.

I don't know of a way to treat the stamp in a single event as an offset from a seed time.

0 Karma
Reply

HenryVIII
New Member
‎11-02-2012 09:48 AM

OK, but my first problem is that Splunk is not recognizing the timestamps at all. Splunk gives every entry a timestamp of the file creation time, even though the last entry occurred an hour after the first.

I could seed the log with an entry that gives the absolute time when boot happened. What format should I use for this seed entry? And how do I get Splunk to read the STAMP: field as a microsecond offset from the seed?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...