Hi,
My Splunk indexes event time down to the millisecond (e.g., 01/14/2016 23:59:59.326 AM). I know this can find events down to the second:
index=index1 sourcetype=sourcetype1 earliest=01/08/2016:00:00:00 latest=01/14/2016:23:59:59
Is there a way to find events down to the millisecond?
You can use the subsearch method to achieve the same. See this run anywhere example
index=_internal [| gentimes start=-1 | eval earliest=strptime("08/01/2016 10:53:54.987","%m/%d/%Y %H:%M:%S.%N") | table earliest] [| gentimes start=-1 | eval latest=strptime("08/01/2016 10:53:54.997","%m/%d/%Y %H:%M:%S.%N") | table latest ]| head 100
You can use the subsearch method to achieve the same. See this run anywhere example
index=_internal [| gentimes start=-1 | eval earliest=strptime("08/01/2016 10:53:54.987","%m/%d/%Y %H:%M:%S.%N") | table earliest] [| gentimes start=-1 | eval latest=strptime("08/01/2016 10:53:54.997","%m/%d/%Y %H:%M:%S.%N") | table latest ]| head 100
This will include all event between 01/08 and 01/14
index=index1 sourcetype=sourcetype1 earliest=01/08/2016:00:00:00 latest=01/15/2016:00:00:00