Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Sort results down to the millisecond

trozza
Engager
‎10-17-2018 07:56 PM

Currently in our log files, the _time value is rounded down to the nearest second and is sorted accordingly.

But in our event tab, the start of each log follows this exact pattern:

2018-10-17 17:53:42.8332

The part in bold is the milliseconds and I want to be able to include in my query:

  1. The ability to search (possibly regex?) the start of each result and pick up the millisecond value.
  2. Sort the results based on this so that results are sorted down to the millisecond.

I'm not too sure of how to approach this, I haven't really need this question asked yet so any guidance on what to do would be greatly appreciated 🙂

0 Karma
Reply

christianhuber
Path Finder
‎10-18-2018 08:13 AM

theoreticaly you just could create a new field out your timestamp and sort your events after that field

2018-10-17 17:53:42.8332 -> 201810171753428332
2018-10-17 17:53:42.8215 -> 201810171753428215
2018-10-17 17:53:42.8198 -> 201810171753428198

the _time field will not support miliseconds.

| sort _time, your_new_field

Reply

trozza
Engager
‎10-18-2018 02:56 PM

Thanks for the idea!

What would be the best way to create a new field out of this timestamp, given that it currently isn't captured in a field, just is raw data.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...