Splunk Search

Parsing epoch time (tai64n) with milliseconds

OL
Communicator

Hello All,

I have a log which has the following unix tai64n timestamp: @400000004ddf8b5a1803be44. Splunk 4.2.1 recognises it at index time but ignores the milliseconds.

Is there a way to change this behaviour and parse the milliseconds at index time?

It seems that I cannot try the "TIME_FORMAT = %s%3N" here as the timestamp is in hex. The datetime.xml mentions a "subsecond" for the utcepoch, but I don't know how to use it.

Splunk seems to recognise only the first 16 charaters. I tried to remove the "16" in the regex in the datetime.xml ( ^@[\da-fA-F]{16,24} ), but this didn't help neither.

Any idea anyone?

Regards,
Olivier

0 Karma

freedomson
Explorer
0 Karma

OL
Communicator

Well, if you are on Splunk 4.2.1 (the version I have), it simple: let Splunk eat the log and it will get the correct timestamp without the milliseconds.

The problem comes when you need the milliseconds 😞

0 Karma

keiichilam
Explorer

May I ask how you make splunk accept tai64n time?

I have some imported events but I don't know how to process them, e.g.

@400000004de5bcd921686bec tcpserver: status: 0/40

@400000004de5bcd921686034 tcpserver: end 10611 status 256

I am happy even without miliseconds.

Regards,
Keith

0 Karma

dwaddle
SplunkTrust
SplunkTrust
0 Karma

OL
Communicator

Indeed, same question, I forgot about that as I was carried out with the newest version and the bug correction for epoch in 4.2.1. I will continue the threat you indicated (probably makes more sense). Thank you for this.

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!