Topics

Toolbox

Splunk > The IT Search Company

  • Search and navigate IT data from applications, servers and network devices in real-time.
  • Download Splunk

Localized Splunk documentation

Looking for Splunk documentation in other languages?

Documentation | Discussion | View source | History

3_2UnstableSearchScrumChanges

This documentation does not apply to the most recent version of Splunk.

This documentation applies to the following versions of Splunk: 3.1.1 , 3.1.3 , 3.1.4

3_2UnstableSearchScrumChanges

SplunkWeb changes & impact

  • Core fields only checkbox is removed
    • means that all references in the docs and all screenshots showing this checkbox need to be updated
  • You do not have to pipe to typer or tags in SplunkWeb

readlevel:: modifier no longer exists

The search modifier readlevel no longer exists.


  • need to remove this from search reference, and remove reference to it in examples in the documentation
  • need to check and see if readlimit:: is also removed

search/where search simplification

  • piping to where and filter is no longer useful (still exists). You can now do that directly in the search clause.
    • need to update examples and make notes in the CLI and online docs search reference pages.
  • need to doc protected characters [ ] | = > < that are recognized by the search parser.
    • need to add section in search reference, and in spots in the user manual
    • Added protected characters < and >

Live tail

  • name of live tail being debated..

Enhanced strptime parsing

  • to be placed in Admin-timestamping section.

Splunk's timestamp parsing is specified in the props.conf configuration file through the TIME_FORMAT= key. In previous versions of Splunk the strptime parsing was limited in its granularity. Splunk could only parse using the standard strptime (%*) conversion specifications.


Splunk now supports microseconds, milliseconds, and any time width format plus some additional time formats for compatibility (see table below).


Splunk's enhanced strptime conversion support:


 %N For GNU date-time nanoseconds. You can specify any sub-second parsing if you provide the width: %.3N = milliseconds, %.6N = microseconds, %.9N = nanoseconds.
%Q,%q For milliseconds, microseconds for Apache Tomcat.  %Q and %q can format any time resolution if the width is specified.
%I For hours on a 12-hour clock format. If %I appears after %S or %s (like "%H:%M:%S.%l") it takes on the log4cpp meaning of milliseconds.
%+ For standard UNIX date format timestamps.
 %v For BSD and OSX standard date format.
%z, %::z, %:::zGNU libc support.
Retrieved from "http://www.splunk.com/base/Documentation/3.1.1/Tmp/32UnstableSearchScrumChanges"
Revision: 207 Contact Privacy Policy Terms of Use Community content licensed under Creative Commons

Copyright © 2005-2010 Splunk Inc. All rights reserved.