I have timestamps in my data sources that are EPOCH with fractional microseconds for example:
1547528398.991103
1547528400.021926
I have set up my props.conf with the following:
INDEXED_EXTRACTIONS = TSV
TIME_FORMAT = %s.%6Q
KV_MODE = none
FIELD_DELIMITER = \t
FIELD_QUOTE = "
FIELD_NAMES = ts,hostid,tx_hosts,rx_hosts,conns,source,message
TIMESTAMP_FIELDS = ts
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TZ = UTC
I think the indexer is having a performance issue when processing the timestamps. However, I would like to know the following:
Is this the correct extraction for the EPOCH timestamp with microseconds? TIME_FORMAT = %s.%6Q
or should the extraction be %s.%6N
or some other format?
Can I tell Splunk in props.conf (or transforms.conf) to round the fractional seconds or drop them from processing?
Any help is appreciated!
Happy Splunking!
I have always used N
instead of Q
and have never had any problems. Either should be just fine, though.