Getting Data In

How to configure wineventlog on a universal forwarder to include milliseconds in event timestamps?

esmith3
Engager

I'm using a Splunk 6.3.1 Universal Forwarder for Windows to forward a custom event viewer log to a Splunk indexer. Works fine except the timestamps do not have millisecond precision. I used a tcp sniffer to confirm the Windows outbound 9997 packet does not have the milliseconds ( 01/12/2016 06:52:48 PM). Using Windows Event Viewer, I can look at the same EventRecordID event properties and see the millisecond detail IS available ( TimeCreated [ SystemTime] 2016-01-12T23:52:48.196341700Z).

Is there a configuration setting for the Forwarder I can make to send the timestamps with milliseconds?

0 Karma

jkat54
SplunkTrust
SplunkTrust

Hello esmith3,

There are two windows event log views (provided by microsoft, independent of splunk):

  1. The General Tab (everything is in "human language", datetime stamp doesnt have ms)
  2. The XML View (everything is in "machine language" (XML), datetimestampe DOES have ms)

Those details you speak of are in the XML view but you're not using RenderXML = True to see the XML view. Therefore, you're not seeing the milliseconds. WARNING: if you switch to XML view, you'll find other behavior you wont like.

Finally, if this makes you upset make sure you blame M$ not Splunk because Splunk has nothing to do with M$ coding. Well... they did setup shop in washington just to leech talent from M$ so technically some of the Splunk developers might have something to do with event viewer code, but XML vs Human view has been around since pre Windows 2000. So it would be a SR Dev / Architect you'd probably want to blame instead of Splunk as a whole.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...