Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Timestamp precision #161

Closed
13ogdan opened this issue Oct 31, 2022 · 4 comments
Closed

Timestamp precision #161

13ogdan opened this issue Oct 31, 2022 · 4 comments

Comments

@13ogdan
Copy link

13ogdan commented Oct 31, 2022

In our project, we have an issue with searing for fast operations. If the difference between the two events is less than 1 millisecond _time property cannot be used in proper way, as both event has the same timestamp.
The solution is pretty simple and didn't find any drawbacks, change in epoch digits number from 3 to 6:

    internal static class EpochExtensions
    {
        private static DateTimeOffset Epoch = new DateTimeOffset(1970,1,1,0,0,0,TimeSpan.Zero);

        public static double ToEpoch(this DateTimeOffset value)
        {
            // From Splunk HTTP Collector Protocol
            // The default time format is epoch time format, in the format <sec>.<ms>. 
            // For example, 1433188255.500 indicates 1433188255 seconds and 500 milliseconds after epoch, 
            // or Monday, June 1, 2015, at 7:50:55 PM GMT.
            // See: http://dev.splunk.com/view/SP-CAAAE6P

            return Math.Round((value - Epoch).TotalSeconds, 6, MidpointRounding.AwayFromZero);
        }
    }
EEParker added a commit to EEParker/serilog-sinks-splunk that referenced this issue Feb 23, 2024
@EEParker
Fixes serilog-contrib#161 subsecond decimal option
cd9a440
EEParker added a commit that referenced this issue Mar 16, 2024
@EEParker
Fixes #161 adds a subsecond decimal option
3f5d4f3
@EEParker EEParker mentioned this issue Mar 16, 2024
Merged
EEParker added a commit that referenced this issue Mar 16, 2024
@EEParker
Fixes #161 add subsecond decimal configuration
f0dd19e
EEParker added a commit that referenced this issue Mar 16, 2024
@EEParker
Fixes #161 add subsecond decimal configuration
734392e
@VictorioBerra
Copy link
Member

@13ogdan Can you answer this? #172 (comment)

@hangy
Copy link

hangy commented Mar 16, 2024

The official docs (web archive) only have examples with three decimals, but don't appear to limit it to three decimals. I've read that a better precision with more decimals is possible in the past.

@VictorioBerra
Copy link
Member

CC @hangy @13ogdan @EEParker

I am working to test this now, I created a Splunk docker container via:

docker run -d -p 8000:8000 -p 8088:8088 -e SPLUNK_START_ARGS='--accept-license' -e SPLUNK_PASSWORD='<password>' splunk/splunk:latest

I logged into the Web UI, and I created a HEC token, I also disabled SSL.

I checked out the PR via gh pr checkout 172

I ran the sample, and I toggled 3,6,9 via the new SubSecondPrecision enum and submited an event for each.

The UI only seems to support 3:

image

image

I fond the following thread: https://community.splunk.com/t5/Getting-Data-In/Time-parsing-working-correctly-but-not-able-to-see-nanoseconds/td-p/677657

It appears that I need to define a parsing rule to handle the 6/9 options. Is there a way we can confirm this works? I think we need to at least see some proof Slack is accepting the precision before we merge that PR.

@EEParker
Copy link
Collaborator

I was able to confirm "Microseconds" (6) work with a props.conf file, but I couldn't get parsing rules to evaluate nanoseconds (9). There might be more config needed on the Splunk side.

* | sort - _time | eval time=strftime(_time, "%Y-%m-%d %H:%M:%S:%9N") | table _time, time, Level, RenderedMessage

image

EEParker added a commit that referenced this issue Apr 3, 2024
@EEParker @dependabot
@merbla @EngRajabi @Havagan @jpfifer @cvna-justin @LordZeroHour @nblumhardt
4.0.0 Release (#178)
fdecaea 
* Bump System.Net.Http from 4.3.3 to 4.3.4 in /sample/Sample

Bumps System.Net.Http from 4.3.3 to 4.3.4.

Signed-off-by: dependabot[bot] <support@github.com>

* Bump System.Net.Http from 4.3.0 to 4.3.4 in /src/Serilog.Sinks.Splunk

Bumps System.Net.Http from 4.3.0 to 4.3.4.

Signed-off-by: dependabot[bot] <support@github.com>

* Bump System.Net.Http in /test/Serilog.Sinks.Splunk.Tests

Bumps System.Net.Http from 4.3.3 to 4.3.4.

Signed-off-by: dependabot[bot] <support@github.com>

* Bump System.Net.Http from 4.3.0 to 4.3.4 in /src/Serilog.Sinks.UDP

Bumps System.Net.Http from 4.3.0 to 4.3.4.

Signed-off-by: dependabot[bot] <support@github.com>

* add default batch config

* Update expired GitHub Key

* add default batch config

* Update expired GitHub Key

* fix bug dispose (#153)

* Regenerate API Key for NuGet

* Splunk 9.1 + .NET 6 (#166)

* Sample: Target net6.0. Added additional logging statements.

* Docker: Splunk 9.1.

* Tests: Target net6.0 and updated nuget packages.

* Added constant for services/collector. Event request trims / from uri. Updated collector URL for Splunk 9.1

* Update to serilog periodic batching 4.x (#168)

* Updated dependencies to Serilog 3.1 and Periodic Batching Sink to 4.0.0

* Update version to 4.0.0 due to the breaking constructor changes on the EventCollectorSink

* Update Dockerfile with net6.0 versions

* Use the latest version of Splunk

The 7.2 label does not appear to be available anymore.

* Add in missing build for net6.0

* Use forward slash for ignore

This should work on Windows as well

* Use the same Framework reference for the sample

Everything else is using at least net6.0 so the Sample should as well

---------

Co-authored-by: Justin Pfifer <justin.pfifer@carvana.com>
Co-authored-by: Jeff Parker, PE <EEParker@users.noreply.github.com>

* dotnet 8.0 updates (#171)

* Feature/161 subsecond decimals (#172)

* Fixes #161 add subsecond decimal configuration

* Fixes #167 Add a flag for RenderedMessage

* Update SubSecondPrecision to use an enum.

Based on 3,6,9 decimals, see
https://docs.splunk.com/Documentation/Splunk/9.2.0/SearchReference/Commontimeformatvariables

* Add unit tests and update documentation

* Invert renderMessage check

* Update sample docker-compose project

- add new tests
- add a docker-compose vscode project
- allow subsecond precision.

* Add comment for configuring splunk

* Fix formatting for nanoseconds

* Enable all tests in sample app

---------

Co-authored-by: Victorio Berra <toryberra@gmail.com>

* Set up GitHub Actions (#174)

* Enable GitHub Actions

* Main branch is called master in this repo

* Ignore .idea

* No need to offset builds by 200

* work on build for new project format

* add automatic release notes

---------

Co-authored-by: EEParker <EEParker@users.noreply.github.com>

* Filter branches that push to nuget (#177)

* Security Policy, scanning and dependency updates (#176)

* Add dependabot configuration

* Add codeql

* Add security policy

* Update dependabot.yml add newline

* update branches

* Update SECURITY.md

* Readme and package license fix

* Update dotnet pack command line

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Matthew Erbs <matthew.erbs@merbla.com>
Co-authored-by: Mohsen Rajabi <m.kabir8895@gmail.com>
Co-authored-by: Havagan <Havagan@users.noreply.github.com>
Co-authored-by: Justin Pfifer <61801015+jpfifer@users.noreply.github.com>
Co-authored-by: Justin Pfifer <justin.pfifer@carvana.com>
Co-authored-by: Victorio Berra <toryberra@gmail.com>
Co-authored-by: Nicholas Blumhardt <nblumhardt@nblumhardt.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@hangy @VictorioBerra @13ogdan @EEParker