WinEventLog Milli seconds identification.

thirumalreddyb · ‎06-08-2017

Splunk is not parsing the milliseconds into _time field. How to parse it during the index time?

I have updated my TIME_FORMAT in props in all the search peers; yet it is not parsing properly.

Thanks in advance.

hettervik · ‎02-12-2018

After looking some more into the problem with Splunk not extracting milliseconds from WinEventLog, I found this thread:

https://answers.splunk.com/answers/489938/splunk-add-on-for-microsoft-windows-why-is-timesta.html

It seems to be the answer for your question. Unfortunately the timestamp for WinEventLog is parsed at input time, and cannot be corrected later on at indexs time.

hettervik · ‎02-12-2018

Hi. Did you find out why your parsing for WinEventLog doen't extract the milliseconds? I seem to have the same problem. I've sat TIME_FORMAT in props.conf, but still it seems to be ignored. Also I've checked using the data onboarding UI in Splunk that the TIME_FORMAT setting is indeed correct for the logs.

teunlaan · ‎06-08-2017

Does you WinEventLog have milliseconds in the timestamp?

thirumalreddyb · ‎06-10-2017

I downvoted this post because this is not an answer. this prevented others from looking into the question.

thirumalreddyb · ‎06-08-2017

Yes, this is that format => %Y-%m-%dT%H:%M:%S.%9NZ

teunlaan · ‎06-08-2017

so if you do index=windows| table _raw You also see the milliseconds in the message?

how do you collect the Wineventlog? "normal" or by xml?

thirumalreddyb · ‎06-08-2017

We collect them in xml format.

WinEventLog Milli seconds identification.

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms