Solved: How to recognize _indextime and _time as values in...

sunrise · ‎12-25-2013

Hi Splunkers,

I want to know how does it take for splunk to index the data in subseconds?
So I prepared the following configration file.

props.conf

[sampledata]
DATETIME_CONFIG = CURRENT

But in this time, Splunk add timestamps (in this case, system time) in seconds to each events.
I know that we cannot use "TIME_FORMAT" option together with "DATETIME_CONFIG = CURRENT".
And in default setting, index date (_indextime field) is also in second order.

How can we recognize there fields (_indextime and _time fileds) as values in subsecond order to calculate index time ?

Thank you for your help.

I updated my question below.

Splunk logs are recognized as subsecond timeformat events.
I used these logs to calculate the index time.
However, default "_indextime" fields don't have subsecond timeformat.
Can I change this definition to change to subsecond order event.

sunrise · ‎01-06-2014

You should use SplunkIt as a mesurement for the index and search performance.

SplunkIt | Utilities | Splunk Apps http://apps.splunk.com/app/749/

View solution in original post

sunrise · ‎01-06-2014

You should use SplunkIt as a mesurement for the index and search performance.

SplunkIt | Utilities | Splunk Apps http://apps.splunk.com/app/749/

sunrise · ‎12-28-2013

It seems to be better to use splunkit.
I'll try that.

sunrise · ‎12-26-2013

I got something, so update the my question.
Splunk logs are recognized as subsecond timeformat event.
But "_indextime" field is not..
Can I change this timeformat to subsecond order ?

How to recognize _indextime and _time as values in subseconds ?

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...