{"id":25457,"date":"2020-11-20T20:12:31","date_gmt":"2020-11-20T20:12:31","guid":{"rendered":"https:\/\/merikebi.warrenmyers.com\/?p=25457"},"modified":"2020-11-20T20:12:31","modified_gmt":"2020-11-20T20:12:31","slug":"answer-by-warren-for-use-sub-second-precision-on-earliest-in-splunk-query","status":"publish","type":"post","link":"https:\/\/merikebi.warrenmyers.com\/?p=25457","title":{"rendered":"Answer by warren for Use sub-second precision on “earliest” in Splunk query"},"content":{"rendered":"

Yes, earliest<\/code><\/a>‘s precision is limited to "standard" Unix<\/a> epoch time<\/a> (ie the number of elapsed seconds since the dawn of Unix (arbitrarily set to 01 Jan 1970 00:00:01 (or, sometimes, 31 Dec 1969 23:59:59))) because the _time<\/code><\/a> field holds whole-number seconds<\/em>.<\/p>\n

Splunk knows how to convert<\/a> timestamps<\/a> seen with more<\/em> precision than mere seconds, but that does not mean _time<\/code> natively holds them.<\/p>\n

_time<\/code>, and, therefore, anything that references it (like earliest<\/code>) does not understand subsecond precision. For that<\/em>, you will need to have another field that contains it in your event.<\/p>\n

from User warren – Stack Overflow https:\/\/stackoverflow.com\/questions\/64232440\/use-sub-second-precision-on-earliest-in-splunk-query\/64936207#64936207
\nvia IFTTT<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Yes, earliest‘s precision is limited to "standard" Unix epoch time (ie the number of elapsed seconds since the dawn of Unix (arbitrarily set to 01 Jan 1970 00:00:01 (or, sometimes, 31 Dec 1969 23:59:59))) because the _time field holds whole-number seconds. Splunk knows how to convert timestamps seen with more precision than mere seconds, but …
Continue reading Answer by warren for Use sub-second precision on “earliest” in Splunk query<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4],"tags":[991],"keyring_services":[],"class_list":["post-25457","post","type-post","status-publish","format-standard","hentry","category-blih","tag-stackexchange"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/25457","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=25457"}],"version-history":[{"count":1,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/25457\/revisions"}],"predecessor-version":[{"id":25458,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=\/wp\/v2\/posts\/25457\/revisions\/25458"}],"wp:attachment":[{"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=25457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=25457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=25457"},{"taxonomy":"keyring_services","embeddable":true,"href":"https:\/\/merikebi.warrenmyers.com\/index.php?rest_route=%2Fwp%2Fv2%2Fkeyring_services&post=25457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}