在 Splunk 查询中对“最早”使用亚秒精度
[英]Use sub-second precision on "earliest" in Splunk query
问题描述
I have a Splunk search string.
我有一个 Splunk 搜索字符串。 If I add earliest=10/05/2020:23:59:58 , the search string still works.如果我添加earliest=10/05/2020:23:59:58 ,搜索字符串仍然有效。 However, if I changed that to earliest=10/05/2020:23:59:58: 01 , I got an error message say invalid value "10/05/2020:23:59:58:01" for time term 'earliest' .但是,如果我将其更改为 earliest=10/05/2020:23:59:58: 01 ,我会收到一条错误消息,指出时间项的无效值“10/05/2020:23:59:58:01” '最早' . Does that mean Splunk's earliest parameter's precision is to second only?这是否意味着 Splunk最早的参数精度仅次于第二? I cannot find the answer in their documents.我在他们的文件中找不到答案。
Thanks!谢谢!
2 个解决方案
解决方案1
1 已采纳 2020-11-20 20:09:55
Yes, earliest 's precision is limited to "standard" Unix epoch time (ie the number of elapsed seconds since the dawn of Unix (arbitrarily set to 01 Jan 1970 00:00:01 (or, sometimes, 31 Dec 1969 23:59:59))) because the _time field holds whole-number seconds .是的, earliest的精度仅限于“标准” Unix 纪元时间(即自 Unix 诞生以来经过的秒数(任意设置为 1970 年 1 月 1 日 00:00:01(或有时,1969 年 12 月 31 日 23:59) :59))) 因为_time字段包含整数seconds 。
Splunk knows how to convert timestamps seen with more precision than mere seconds, but that does not mean _time natively holds them. Splunk 知道如何以比秒数更精确的方式转换看到的时间戳,但这并不意味着_time本身就拥有它们。
_time , and, therefore, anything that references it (like earliest ) does not understand subsecond precision. _time ,因此,任何引用它的东西(比如earliest )都不能理解亚秒级精度。 For that , you will need to have another field that contains it in your event.对于这一点,你需要有一个包含在你的事件另一个领域。
解决方案2
0 2022-06-15 23:54:03
For millisecond search time, include timeformat=%m/%d/%Y:%H:%M:%S:%3N together with your earliest=10/05/2020:23:59:58:01.对于毫秒搜索时间,包括 timeformat=%m/%d/%Y:%H:%M:%S:%3N 以及您的 earliest=10/05/2020:23:59:58:01。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.