https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317290#M2739 <P>I am currently generating a summary index using the following saved search.</P> <PRE><CODE>sourcetype=mail | sistats count as sbj_count by subject </CODE></PRE> <P>Which I am accessing it using:</P> <PRE><CODE>summaryindex=myindex report=report_for_this_search | stats count as sbj_count by subject </CODE></PRE> <P>This works however I need an _time value which this does not have. I try to create one by changing the saved search, based on the documentation for summary indexing without a timestamp to </P> <PRE><CODE>sourcetype=mail | sistats count as sbj_count by subject | eval _time=now() </CODE></PRE> <P>and accessing it using</P> <PRE><CODE>summaryindex=myindex report=report_for_this_search | stats count as sbj_count by subject | eval _time=now() | table _time,subject,sbj_count </CODE></PRE> <P>Which produces the _time values as the time of my search rather than the time of the search which generated the summary index. How do I get the _time value to be the time that the summary index event ran rather than when I searched the summary index?</P> Mon, 10 Apr 2017 18:12:51 GMT jamessteel 2017-04-10T18:12:51Z https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317290#M2739 <P>I am currently generating a summary index using the following saved search.</P> <PRE><CODE>sourcetype=mail | sistats count as sbj_count by subject </CODE></PRE> <P>Which I am accessing it using:</P> <PRE><CODE>summaryindex=myindex report=report_for_this_search | stats count as sbj_count by subject </CODE></PRE> <P>This works however I need an _time value which this does not have. I try to create one by changing the saved search, based on the documentation for summary indexing without a timestamp to </P> <PRE><CODE>sourcetype=mail | sistats count as sbj_count by subject | eval _time=now() </CODE></PRE> <P>and accessing it using</P> <PRE><CODE>summaryindex=myindex report=report_for_this_search | stats count as sbj_count by subject | eval _time=now() | table _time,subject,sbj_count </CODE></PRE> <P>Which produces the _time values as the time of my search rather than the time of the search which generated the summary index. How do I get the _time value to be the time that the summary index event ran rather than when I searched the summary index?</P> Mon, 10 Apr 2017 18:12:51 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317290#M2739 jamessteel 2017-04-10T18:12:51Z https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317291#M2740 <P>Try adding _time to the by clause in your sistats command:</P> <P><CODE>sourcetype=mail | sistats count as sbj_count by subject, _time</CODE></P> <P>To test it out first, just use the regular stats command to ensure you get what you expect:</P> <P><CODE>sourcetype=mail | stats count as sbj_count by subject, _time</CODE></P> <P>Depending on what your data looks like you may have multiple timestamps to deal with, so something like <CODE>| stats max(_time) AS _time</CODE> may also be helpful if you want the last timestamp. Would likely then need to convert the epoch to human readable. Really depends what the data looks like and what your desired outcome is. Feel free to post a couple example events to allow us to help further. </P> Mon, 10 Apr 2017 18:54:41 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317291#M2740 mattymo 2017-04-10T18:54:41Z https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317292#M2741 <P>Change your summary index search like this</P> <PRE><CODE>sourcetype=mail | eval _time=now() | sistats count as sbj_count by subject _time </CODE></PRE> <P>And access it like this</P> <PRE><CODE>index=myindex report=report_for_this_search | stats count as sbj_count by subject _time </CODE></PRE> Mon, 10 Apr 2017 18:57:41 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317292#M2741 somesoni2 2017-04-10T18:57:41Z https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317293#M2742 <P>Thank you for the response, this would work for most people who are trying to group by the time of the event, and works if I trasnform the time using the command given below. Thank you for the response though!</P> Mon, 10 Apr 2017 19:18:50 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317293#M2742 jamessteel 2017-04-10T19:18:50Z https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317294#M2743 <P>Thank you, this worked well. This method of doing it makes more sense now that I think about it.</P> Mon, 10 Apr 2017 19:21:57 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317294#M2743 jamessteel 2017-04-10T19:21:57Z https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317295#M2744 <P>ah! I re-read your post and see what you mean now! Glad Somesoni2 got you sorted!</P> Mon, 10 Apr 2017 20:59:43 GMT https://community.splunk.com/t5/Knowledge-Management/How-to-get-time-value-into-summary-index-data/m-p/317295#M2744 mattymo 2017-04-10T20:59:43Z