Refine your search:

what do the indexed fields `timeendpos` and `timestartpos` represent?

0

I am new to Splunk.

What do the indexed fields timeendpos and timestartpos represent?

Since one report the company asks for from our archived Apache log files is the duration of the longest queries, I am curious about these fields and how to translate the corresponding integer values, if they have meaning.

asked 22 Mar '12, 17:50

boris's gravatar image

boris
1829
accept rate: 40%

One Answer:
oldestnewestmost voted
3

They mean just how far into the event that Splunk thinks (usually correct) that your timestamp goes.

timestartpos (at which byte the timestamp starts) timeendpos (at which bye into the event the timestamp ends)

If you are experiencing timestamping issues, you should look into how you can alter this behaviour through props.conf settings for your sourcetype;

TIMESTAMP_LOOKAHEAD = number
TIME_FORMAT = strftime format
TIME_PREFIX = regex

Hope this helps,

Kristian

link

answered 22 Mar '12, 18:47

kristian.kolb's gravatar image

kristian.kolb
10.1k616
accept rate: 33%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×264
×180

Asked: 22 Mar '12, 17:50

Seen: 873 times

Last updated: 22 Mar '12, 18:47

Related questions

What would cause the "date_*" fields to be missing from an event?

InterMapper app sourcetype not intermapper

Newbee and blacklistng

Adding Value to Host=

Some Single Line Messages Are Merged into a Single Event

'NOT' not working properly since 4.3

Copyright © 2005-2012 Splunk Inc. All rights reserved.