Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are collected events in a summary index losing milliseconds from _time in Splunk 6.2.1?

arkadyz1
Builder
‎03-03-2015 12:22 PM

I collect some events into a summary index with something like this:

... some search ... | rex ... | eval ... | fields ... | fields - _raw | collect index=summary marker="search_type=mysearchtype"

Surprisingly, _time saved into summary index loses its milliseconds (they become zeroes). If I add something like | eval start_time = time | fields ..., start_time ..., that collected start_time does contain the milliseconds while the collected _time doesn't! This is happening in 6.2.1.

Not urgent since I have the workaround - just weird...

Reply
1 Solution
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎10-14-2016 02:19 PM

You need the raw to carry over the milliseconds. These are done at search time; index time is only to second-level granularity. I haven't had a look at the actual spool files that | collect produces, because they're ephemeral, and are gone before I can catch them. I suspect that they don't carry millis there and are indexed at second-level. You'll have to continue with your workarounds, it seems.

View solution in original post

Reply
Solved! Jump to solution
Solution

sowings
Splunk Employee
Splunk Employee
‎10-14-2016 02:19 PM

You need the raw to carry over the milliseconds. These are done at search time; index time is only to second-level granularity. I haven't had a look at the actual spool files that | collect produces, because they're ephemeral, and are gone before I can catch them. I suspect that they don't carry millis there and are indexed at second-level. You'll have to continue with your workarounds, it seems.

Reply
Solved! Jump to solution

krdo
Communicator
‎06-24-2015 02:10 AM

Also happens on Splunk 6.2.3
My workaround is to use ... | eval fractionalSeconds = _time % 1 in the populating search and EVAL-_time = (_time + fractionalSeconds) in my props.conf.

Reply
Solved! Jump to solution

eliazanaboni
Engager
‎07-27-2016 08:08 AM

Also happens on Splunk 6.3.3.
I didn't found it as a Known Issue.

0 Karma
Reply
Solved! Jump to solution

Anantha123
Communicator
‎09-27-2019 11:22 AM

Do you have any workaround without touching props.conf ? I use Splunk 7.0.8.5 .

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...