https://community.splunk.com/t5/Knowledge-Management/bad-time-in-summary-index-or-collect-command/m-p/39386#M355 <P>if i do that i get _time empty when i do my search, and when i use collect on it and search the result, i get the same thing, _time has the time of the collect.<BR /> why is the field _time not getting the value in time? </P> Thu, 22 Dec 2011 15:37:46 GMT splunkj900 2011-12-22T15:37:46Z https://community.splunk.com/t5/Knowledge-Management/bad-time-in-summary-index-or-collect-command/m-p/39384#M353 <P>hey<BR /> i have a data source of csv type, generated from a script that runs every 1 minute.<BR /> the data has "time" field, which is in dd/mm/yyyy hh:mi format, and everything works great.<BR /> when i create a summmary index that runs every 5 minutes, using the web interface, or use a collect command to do it manually one time, i have the following problem :</P> <P>the time fields that splunk shows the data according to is _time which gets the time of the summary/collect runtime, and not the time of the data under it.</P> <P>for example </P> <P>say my data is </P> <P>time country counter<BR /> 20/12/2011 15:50 canada 50<BR /> 20/12/2011 15:51 canada 60<BR /> 20/12/2011 15:52 canada 60<BR /> 20/12/2011 15:50 spain 11<BR /> 20/12/2011 15:51 spain 11<BR /> 20/12/2011 15:52 spain 11</P> <P>i would like to aggregate the data by time only so i would have</P> <P>time counter<BR /> 20/12/2011 15:50 61<BR /> 20/12/2011 15:51 71<BR /> 20/12/2011 15:52 71</P> <P>by doing <BR /> index=x source=y | stats sum(counter) by time</P> <P>when i do this search in the web interface everything is ok, but when i schedule this to be a summary index or do pipe it to a collect command i get this :</P> <P>_time time counter<BR /> 12/22/11 3:55:00.00 PM 20/12/2011 15:50 61<BR /> 12/22/11 3:55:00.00 PM 20/12/2011 15:51 61<BR /> 12/22/11 3:55:00.00 PM 20/12/2011 15:52 61</P> <P>and the data is shown according to the _time field.<BR /> i've tried all kinds of tricks like setting the _time with eval, doing addtime=f in the collect, and nothing works.</P> <P>splunk version is 4.2.4<BR /> thanks</P> Thu, 22 Dec 2011 14:00:04 GMT https://community.splunk.com/t5/Knowledge-Management/bad-time-in-summary-index-or-collect-command/m-p/39384#M353 splunkj900 2011-12-22T14:00:04Z https://community.splunk.com/t5/Knowledge-Management/bad-time-in-summary-index-or-collect-command/m-p/39385#M354 <P>You could try to write also the _time field into SI.</P> <P>... | stats sum(counter) by time | ... | table _time field1 field2 ... fieldn</P> Thu, 22 Dec 2011 14:13:23 GMT https://community.splunk.com/t5/Knowledge-Management/bad-time-in-summary-index-or-collect-command/m-p/39385#M354 imrago 2011-12-22T14:13:23Z https://community.splunk.com/t5/Knowledge-Management/bad-time-in-summary-index-or-collect-command/m-p/39386#M355 <P>if i do that i get _time empty when i do my search, and when i use collect on it and search the result, i get the same thing, _time has the time of the collect.<BR /> why is the field _time not getting the value in time? </P> Thu, 22 Dec 2011 15:37:46 GMT https://community.splunk.com/t5/Knowledge-Management/bad-time-in-summary-index-or-collect-command/m-p/39386#M355 splunkj900 2011-12-22T15:37:46Z https://community.splunk.com/t5/Knowledge-Management/bad-time-in-summary-index-or-collect-command/m-p/39387#M356 <PRE><CODE>index=x source=y | stats sum(counter) by time | rename time as _time </CODE></PRE> Thu, 22 Jun 2017 15:15:37 GMT https://community.splunk.com/t5/Knowledge-Management/bad-time-in-summary-index-or-collect-command/m-p/39387#M356 DalJeanis 2017-06-22T15:15:37Z