Use sub-second precision on "earliest" in Splunk query
Question
I have a Splunk search string. If I add earliest=10/05/2020:23:59:58 , the search string still works. However, if I changed that to earliest=10/05/2020:23:59:58: 01 , I got an error message say invalid value "10/05/2020:23:59:58:01" for time term 'earliest' . Does that mean Splunk's earliest parameter's precision is to second only? I cannot find the answer in their documents.
Thanks!
2 answers
solution1
1 ACCPTED 2020-11-20 20:09:55
Yes, earliest 's precision is limited to "standard" Unix epoch time (ie the number of elapsed seconds since the dawn of Unix (arbitrarily set to 01 Jan 1970 00:00:01 (or, sometimes, 31 Dec 1969 23:59:59))) because the _time field holds whole-number seconds .
Splunk knows how to convert timestamps seen with more precision than mere seconds, but that does not mean _time natively holds them.
_time , and, therefore, anything that references it (like earliest ) does not understand subsecond precision. For that , you will need to have another field that contains it in your event.
solution2
0 2022-06-15 23:54:03
For millisecond search time, include timeformat=%m/%d/%Y:%H:%M:%S:%3N together with your earliest=10/05/2020:23:59:58:01.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.