I have timestamps in my data sources that are EPOCH with fractional microseconds for example:
1547528398.991103
1547528400.021926
I have set up my props.conf with the following:
INDEXED_EXTRACTIONS = TSV
TIME_FORMAT = %s.%6Q
KV_MODE = none
FIELD_DELIMITER = \t
FIELD_QUOTE = "
FIELD_NAMES = ts,hostid,tx_hosts,rx_hosts,conns,source,message
TIMESTAMP_FIELDS = ts
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
TZ = UTC
I think the indexer is having a performance issue when processing the timestamps. However, I would like to know the following:
Is this the correct extraction for the EPOCH timestamp with microseconds? `TIME_FORMAT = %s.%6Q` or should the extraction be `%s.%6N` or some other format?
Can I tell Splunk in props.conf (or transforms.conf) to round the fractional seconds or drop them from processing?
Any help is appreciated!
Happy Splunking!
↧