Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Which regex is the correct extraction for Splunk EPOCH timestamp with decimal microseconds configuration in props.conf ?

baegoon
Explorer
‎01-18-2019 07:59 AM

I have timestamps in my data sources that are EPOCH with fractional microseconds for example:

1547528398.991103
1547528400.021926

I have set up my props.conf with the following:

INDEXED_EXTRACTIONS = TSV
TIME_FORMAT = %s.%6Q
KV_MODE = none
FIELD_DELIMITER = \t
FIELD_QUOTE = "
FIELD_NAMES = ts,hostid,tx_hosts,rx_hosts,conns,source,message
TIMESTAMP_FIELDS = ts
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TZ = UTC

I think the indexer is having a performance issue when processing the timestamps. However, I would like to know the following:

Is this the correct extraction for the EPOCH timestamp with microseconds? TIME_FORMAT = %s.%6Q or should the extraction be %s.%6N or some other format?

Can I tell Splunk in props.conf (or transforms.conf) to round the fractional seconds or drop them from processing?

Any help is appreciated!

Happy Splunking!

0 Karma
Reply

woodcock
Esteemed Legend
‎01-23-2019 06:49 PM

I have always used N instead of Q and have never had any problems. Either should be just fine, though.

Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...