Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Accelerated data model not storing milliseconds in _time

payal23
Path Finder
‎08-07-2019 10:14 PM

I am not able to capture milliseconds in accelerated data model.

Query is like :

|tstats max(_time) as Start min(_time) as End from datamodel=One.A where nodename=B.A by A.Id|eval duration=End-Start

Raw logs are having milliseconds but the above query is not having the milliseconds.

Thanks
PAyal

Reply

BernardEAI
Communicator
‎04-28-2021 05:24 AM

I  am experiencing the same problem. When searching an accelerated data model, the miliseconds of the _time field is lost (when using a tstats latest search). This is a problem, since the miliseconds are needed to accurately determine the latest event!

I describe the problem in more detail in a question I posted here: 

https://community.splunk.com/t5/Splunk-Search/Data-model-time-field-format/m-p/549121#M155777 

Tags (1)
0 Karma
Reply

Sukisen1981
Champion
‎08-26-2019 12:12 AM

hi @payal23
What happens if you try this

|tstats max(_time) as Start min(_time) as End from datamodel=One.A where nodename=B.A by A.Id| eval newstrt=strftime(Start,"%Y-%m-%d %H:%M:%S:%3N %p")| eval newend=strftime(End,"%Y-%m-%d %H:%M:%S:%3N %p")

Can you see milliseconds now?

0 Karma
Reply

payal23
Path Finder
‎09-02-2019 07:37 PM

Hi Suki, @Sukisen1981

if i search for last 15 - 20 mins milliseconds are displaying.. But if i search any older time than this.. then it is not displaying milliseconds.

My question is that while saving the data in the indexer (accelerated data model) will it not save the milliseconds?

0 Karma
Reply

jawaharas
Motivator
‎08-08-2019 12:06 AM

May I know the name of datamodel you are using?

Ideally below query return _time in epoch format. What you get?

|tstats max(_time) as Start min(_time) as End from datamodel=One
0 Karma
Reply

payal23
Path Finder
‎08-08-2019 01:00 AM

yes. In epoch format. But that value does not have milliseconds.

So, in raw logs time is 5:49:08.715 PM and the tstats epoch converted time has 1565250548.

0 Karma
Reply

jawaharas
Motivator
‎08-08-2019 08:39 PM

I hope you can see the milliseconds when you run below query.

| from datamodel One
| table _time
0 Karma
Reply

payal23
Path Finder
‎08-21-2019 10:27 PM

yes I am able to see here.. but if i do max or min of the time.. millisecond is not printing

0 Karma
Reply

jawaharas
Motivator
‎08-25-2019 09:59 PM

I can't reproduce the issue with below query on 'Authentication' datamodel.

|tstats max(_time) as Start min(_time) as End from datamodel=One

Is yours custom datamodel? if it's standard one, can you share the datamodel name?

0 Karma
Reply

payal23
Path Finder
‎09-02-2019 07:39 PM

@jawaharas It's a custom data model. Can you try accelerating that data model and look for milliseconds?

0 Karma
Reply

jawaharas
Motivator
‎09-02-2019 10:30 PM

We can see milliseconds in accelerated data model.

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...