Reputation: 1264
Use sub-second precision on "earliest" in Splunk query
I have a Splunk search string. If I add earliest=10/05/2020:23:59:58, the search string still works. However, if I changed that to earliest=10/05/2020:23:59:58:01, I got an error message say invalid value "10/05/2020:23:59:58:01" for time term 'earliest'. Does that mean Splunk's earliest parameter's precision is to second only? I cannot find the answer in their documents.
Thanks!
Upvotes: 3
Views: 906
Answers (2)
Reputation: 31
For millisecond search time, include timeformat=%m/%d/%Y:%H:%M:%S:%3N together with your earliest=10/05/2020:23:59:58:01.
Upvotes: 0
Reputation: 33435
Yes, earliest's precision is limited to "standard" Unix epoch time (ie the number of elapsed seconds since the dawn of Unix (arbitrarily set to 01 Jan 1970 00:00:01 (or, sometimes, 31 Dec 1969 23:59:59))) because the _time field holds whole-number seconds.
Splunk knows how to convert timestamps seen with more precision than mere seconds, but that does not mean _time natively holds them.
_time, and, therefore, anything that references it (like earliest) does not understand subsecond precision. For that, you will need to have another field that contains it in your event.
Upvotes: 1
Related Questions
- Epoch time conversion to time in Splunk
- Splunk - Assigning custom time
- dispatch.earliest_time in savedsearches.conf file
- Splunk Understanding Difference with epoch time and adding min
- Splunk showing wrong index time
- How to Splunk search for transaction types that have a median latency above 3 seconds
- How to convert custom time into minutes in splunk
- Splunk query to get max indexed timestamp for a source type
- Splunk query substract time
- Splunk - Adjusting source file timestamp