Splunk Search

Parsing epoch time (tai64n) with milliseconds

OL
Communicator

Hello All,

I have a log which has the following unix tai64n timestamp: @400000004ddf8b5a1803be44. Splunk 4.2.1 recognises it at index time but ignores the milliseconds.

Is there a way to change this behaviour and parse the milliseconds at index time?

It seems that I cannot try the "TIME_FORMAT = %s%3N" here as the timestamp is in hex. The datetime.xml mentions a "subsecond" for the utcepoch, but I don't know how to use it.

Splunk seems to recognise only the first 16 charaters. I tried to remove the "16" in the regex in the datetime.xml ( ^@[\da-fA-F]{16,24} ), but this didn't help neither.

Any idea anyone?

Regards,
Olivier

0 Karma

freedomson
Explorer
0 Karma

OL
Communicator

Well, if you are on Splunk 4.2.1 (the version I have), it simple: let Splunk eat the log and it will get the correct timestamp without the milliseconds.

The problem comes when you need the milliseconds 😞

0 Karma

keiichilam
Explorer

May I ask how you make splunk accept tai64n time?

I have some imported events but I don't know how to process them, e.g.

@400000004de5bcd921686bec tcpserver: status: 0/40

@400000004de5bcd921686034 tcpserver: end 10611 status 256

I am happy even without miliseconds.

Regards,
Keith

0 Karma

dwaddle
SplunkTrust
SplunkTrust
0 Karma

OL
Communicator

Indeed, same question, I forgot about that as I was carried out with the newest version and the bug correction for epoch in 4.2.1. I will continue the threat you indicated (probably makes more sense). Thank you for this.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Unified Identity - Now Available for Existing Splunk ...

Raise your hand if you’ve already forgotten your username or password when logging into an account. (We can’t ...

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...