Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Parsing epoch time (tai64n) with milliseconds

OL
Communicator
‎06-02-2011 03:35 PM

Hello All,

I have a log which has the following unix tai64n timestamp: @400000004ddf8b5a1803be44. Splunk 4.2.1 recognises it at index time but ignores the milliseconds.

Is there a way to change this behaviour and parse the milliseconds at index time?

It seems that I cannot try the "TIME_FORMAT = %s%3N" here as the timestamp is in hex. The datetime.xml mentions a "subsecond" for the utcepoch, but I don't know how to use it.

Splunk seems to recognise only the first 16 charaters. I tried to remove the "16" in the regex in the datetime.xml ( ^@[\da-fA-F]{16,24} ), but this didn't help neither.

Any idea anyone?

Regards,
Olivier

0 Karma
Reply

freedomson
Explorer
‎02-05-2019 02:11 AM

Please take a look into:
https://answers.splunk.com/answers/688698/why-are-milliseconds-not-being-parsed-in-cluster-e.html

0 Karma
Reply

OL
Communicator
‎06-03-2011 05:15 AM

Well, if you are on Splunk 4.2.1 (the version I have), it simple: let Splunk eat the log and it will get the correct timestamp without the milliseconds.

The problem comes when you need the milliseconds 😞

0 Karma
Reply

keiichilam
Explorer
‎06-03-2011 05:12 AM

May I ask how you make splunk accept tai64n time?

I have some imported events but I don't know how to process them, e.g.

@400000004de5bcd921686bec tcpserver: status: 0/40

@400000004de5bcd921686034 tcpserver: end 10611 status 256

I am happy even without miliseconds.

Regards,
Keith

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎06-02-2011 03:43 PM

Related (possibly the same) question at http://splunk-base.splunk.com/answers/4540/does-splunk-support-indexing-of-timestamps-in-tai64nlocal...

0 Karma
Reply

OL
Communicator
‎06-03-2011 01:12 AM

Indeed, same question, I forgot about that as I was carried out with the newest version and the bug correction for epoch in 4.2.1. I will continue the threat you indicated (probably makes more sense). Thank you for this.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...