Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Parsing epoch time (tai64n) with milliseconds

OL
Communicator
‎06-02-2011 03:35 PM

Hello All,

I have a log which has the following unix tai64n timestamp: @400000004ddf8b5a1803be44. Splunk 4.2.1 recognises it at index time but ignores the milliseconds.

Is there a way to change this behaviour and parse the milliseconds at index time?

It seems that I cannot try the "TIME_FORMAT = %s%3N" here as the timestamp is in hex. The datetime.xml mentions a "subsecond" for the utcepoch, but I don't know how to use it.

Splunk seems to recognise only the first 16 charaters. I tried to remove the "16" in the regex in the datetime.xml ( ^@[\da-fA-F]{16,24} ), but this didn't help neither.

Any idea anyone?

Regards,
Olivier

0 Karma
Reply

freedomson
Explorer
‎02-05-2019 02:11 AM

Please take a look into:
https://answers.splunk.com/answers/688698/why-are-milliseconds-not-being-parsed-in-cluster-e.html

0 Karma
Reply

OL
Communicator
‎06-03-2011 05:15 AM

Well, if you are on Splunk 4.2.1 (the version I have), it simple: let Splunk eat the log and it will get the correct timestamp without the milliseconds.

The problem comes when you need the milliseconds 😞

0 Karma
Reply

keiichilam
Explorer
‎06-03-2011 05:12 AM

May I ask how you make splunk accept tai64n time?

I have some imported events but I don't know how to process them, e.g.

@400000004de5bcd921686bec tcpserver: status: 0/40

@400000004de5bcd921686034 tcpserver: end 10611 status 256

I am happy even without miliseconds.

Regards,
Keith

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎06-02-2011 03:43 PM

Related (possibly the same) question at http://splunk-base.splunk.com/answers/4540/does-splunk-support-indexing-of-timestamps-in-tai64nlocal...

0 Karma
Reply

OL
Communicator
‎06-03-2011 01:12 AM

Indeed, same question, I forgot about that as I was carried out with the newest version and the bug correction for epoch in 4.2.1. I will continue the threat you indicated (probably makes more sense). Thank you for this.

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...