Splunk Search

can i configure milliseconds in splunk for the incomin events ??

rakesh_498115
Motivator

HI.

In my events i have the timestamp like HH:MM:SS seconds..So splunk is defaultly taking this timestamp.but i need to have the milliseconds also to do some stats. How can configure setttings in splunk in such a way that when ever each event comes to splunk...i need to show the time in current system time i.e time at which event came to splunk including the milliseconds in the time...

My Sample Logg event is as follows ..

**

Jul 25 11:52:03 10.230.189.141 Jul 25 11:52:04 System: 0199B1 X0000000 0C00D D Configuration export a succeeded

**

Please help asap.

Thanx

Tags (1)
0 Karma
1 Solution

Jason
Motivator

We are looking for an answer to this too at my client this week. Basically, how to give an enterprise application more precision.

The best option is to have the app itself write in millisecond precision. This eliminates all differences due to network lag, indexing lag (Splunk has buffers, so events may not be indexed instantly) etc.

(ANY other type of sub-second statistics, by definition, are not going to be fully accurate! ...due to the amount of time the event takes to get out of the application, across the network, and in to the Splunk server. So you should question whether or not it is even worth giving this type of stat out to your user, because their expectation could be set on something inherently inaccurate.)

Since this does not seem to be an option until a further release of the application in question, we are going to try to eliminate as many Splunk variables as possible by using a syslog server (syslog-ng) to accept the syslog traffic and write a millisecond timestamp as to when it was received.

It seems syslog-ng's "frac_digits" option can be used, either in a global options{} statement, or per "destination" - such as the file Splunk will monitor.

View solution in original post

Jason
Motivator

We are looking for an answer to this too at my client this week. Basically, how to give an enterprise application more precision.

The best option is to have the app itself write in millisecond precision. This eliminates all differences due to network lag, indexing lag (Splunk has buffers, so events may not be indexed instantly) etc.

(ANY other type of sub-second statistics, by definition, are not going to be fully accurate! ...due to the amount of time the event takes to get out of the application, across the network, and in to the Splunk server. So you should question whether or not it is even worth giving this type of stat out to your user, because their expectation could be set on something inherently inaccurate.)

Since this does not seem to be an option until a further release of the application in question, we are going to try to eliminate as many Splunk variables as possible by using a syslog server (syslog-ng) to accept the syslog traffic and write a millisecond timestamp as to when it was received.

It seems syslog-ng's "frac_digits" option can be used, either in a global options{} statement, or per "destination" - such as the file Splunk will monitor.

rakesh_498115
Motivator

Thanx jason..It Worked 🙂

0 Karma

kristian_kolb
Ultra Champion

Maybe this can help you along,

Each event has a hidden field called _indextime, which is the local time of the indexer at the time the event was indexed. I believe(?) that unfortunately it cannot be accessed directly, say like in a table or chart, but you can eval xxx=_indextime and use xxx for presentation purposes.

For a little more info, see:
[http://splunk-base.splunk.com/answers/171/using-_indextime-to-specify-time-range][1]

Hope this helps,

Kristian

0 Karma

kristian_kolb
Ultra Champion

Aah, sorry about that - wasn't aware of those limitations at the time of writing. I don't know if Splunk can be configured to store the _indextime with sub-seconds, but I doubt it.

/k

0 Karma

rakesh_498115
Motivator

splunk is not taking the time format in milliseconds...ie i am unable to get the milliseconds value for my time .when i use the _indextime... 😞

0 Karma

rakesh_498115
Motivator

even i use the _indextime..i am gettin the milliseconds as 0 . i have used like this eval Time=strftime(_indextime,"%H:%M:%S:%6N") . but this not workin ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...