Sort results down to the millisecond

trozza · ‎10-17-2018

Currently in our log files, the _time value is rounded down to the nearest second and is sorted accordingly.

But in our event tab, the start of each log follows this exact pattern:

2018-10-17 17:53:42.8332

The part in bold is the milliseconds and I want to be able to include in my query:

The ability to search (possibly regex?) the start of each result and pick up the millisecond value.
Sort the results based on this so that results are sorted down to the millisecond.

I'm not too sure of how to approach this, I haven't really need this question asked yet so any guidance on what to do would be greatly appreciated 🙂

christianhuber · ‎10-18-2018

theoreticaly you just could create a new field out your timestamp and sort your events after that field

2018-10-17 17:53:42.8332 -> 201810171753428332
2018-10-17 17:53:42.8215 -> 201810171753428215
2018-10-17 17:53:42.8198 -> 201810171753428198

the _time field will not support miliseconds.

| sort _time, your_new_field

trozza · ‎10-18-2018

Thanks for the idea!

What would be the best way to create a new field out of this timestamp, given that it currently isn't captured in a field, just is raw data.

Are you a member of the Splunk Community?