Splunk Search

_time resolution in Summary Index

lpolo
Motivator

The following query construct populates a summary index:

source=1.log OR source=2.log |
eval _time = case(source == "1.log", _time)|
stats 
 first(_time)  as _time 
….other fileds….
 dc(source) as dc by id|search dc=2

The resolution _time of the time stamp for each source log is in milliseconds. Example : 2013-06-13 04:00:15,250

Question:
Why isn’t the resolution time in the summary index in mill. seconds (e.g., 2013-06-13 04:00:15 +0000)?

Tags (1)

Jason
Motivator

It appears milliseconds are dropped by the command that creates the summary index file - I'm going to file a bug. Case 123267

sbsbb
Builder

I'm experiencing the same problem, anything new about this bug ?

0 Karma

lpolo
Motivator

Thank you Jason.

Lp

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...