Getting Data In

Extract timestamp in Epoch (microseconds) to date

alextsui
Path Finder

Hi, I need Splunk to recognize the timestamps down to microseconds.

A sample event is listed below:

1305096676.192356,64.127.105.40,10.1.81.74,

Splunk 4.1.8 automatically(without any extra configuration) recognizes the epoch time down to the milliseconds. But I need the timestamp to be extracted to the microseconds.

I have tried using props.conf with the following configuration:

[test]
TIME_PREFIX = ^
TIME_FORMAT = %s.%6N
MAX_TIMESTAMP_LOOKAHEAD = 17

But didn’t work.

Any suggestion?

Thanks.

Tags (1)
0 Karma

dwaddle
SplunkTrust
SplunkTrust

I think this is a display formatting thing more than anything else. I took your config and sample data and loaded it up. When I search on it, I do only see the time out to 3 decimals. I did a slightly different search, however, and found that Splunk is storing all 6 decimals, just truncating at display time.

sourcetype=test | eval foo=_time | table _time, foo

If you run this search, you'll see the the results formatted as

5/11/11 1:51:16.192 AM  1305096676.192356

Which suggests that the time is being extracted/stored with full 6-decimal accuracy, but only being displayed with 3. I don't know the explanation for this behavior or if it can be changed - but it would be a good follow on question.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...