Solved: Splunk timestamp Milliseconds vs Microseconds

jadengoho · ‎03-30-2020

Hi All,
What would be the impact if i use "%Q" rather than "%6Q" ?
Cause i'm seeing a 20min time delay on Splunk ingestion, is this because of this or not ?

Log Example:
- 2020-03-08-15.31.10.838384
- 2020-02-01-18.25.15.738385

https://docs.splunk.com/Documentation/Splunk/8.0.2/SearchReference/Commontimeformatvariables
https://docs.splunk.com/Documentation/Splunk/8.0.2/Troubleshooting/Troubleshootingeventsindexingdela...

richgalloway · ‎03-30-2020

Using the wrong time variable may prevent Splunk from matching your data. At best, it will only accept 3 decimal places.
Since %Q is the same as %3Q, which does not match microseconds, you should use %6Q.

I doubt this explains the 20-minute delay, however. Have you verified the clocks are correct on all systems?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-30-2020

Using the wrong time variable may prevent Splunk from matching your data. At best, it will only accept 3 decimal places.
Since %Q is the same as %3Q, which does not match microseconds, you should use %6Q.

I doubt this explains the 20-minute delay, however. Have you verified the clocks are correct on all systems?

---
If this reply helps you, Karma would be appreciated.

jadengoho · ‎03-30-2020

Yes the clocks are correct, maybe it's due to other stuff on their server.
Thanks.

Splunk timestamp Milliseconds vs Microseconds

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk