topic Re: Modification of _time value in Splunk Search

Modification of _time value

isabellechristo — Thu, 11 Jan 2018 17:16:50 GMT

Hello,

When I create a new index with an old index I would like to have an _time with a time different than the time of the day that I create my index.

Is it possible ?

Re: Modification of _time value

micahkemp — Thu, 11 Jan 2018 20:08:44 GMT

Can you rephrase the question? It's unclear (at least to me) what it is you're asking.

Re: Modification of _time value

isabellechristo — Thu, 11 Jan 2018 20:17:02 GMT

By exemple :

Index1 : _raw with _time 01/01/2017

index2 is creating on 01/01/2018 and I would like to have in _raw 01/01/2017 for _time

it is for having in presets a value of research that I can have for the data in the initial index.

Re: Modification of _time value

micahkemp — Thu, 11 Jan 2018 20:21:29 GMT

Timestamps aren't a function of the index, they are a function of the sourcetype.

Do you want to index different event formats with different time formats?

Re: Modification of _time value

somesoni2 — Thu, 11 Jan 2018 20:33:32 GMT

Are you ingesting (or planning to ingest) same data in both the index? If yes, from where are you getting this data? OR you've data in Index1 and just want to replicate same data but adjusted timestmap in Index2?

Re: Modification of _time value

isabellechristo — Thu, 11 Jan 2018 20:36:46 GMT

I would like to replicate same data but adjusted timestamp in index2

Re: Modification of _time value

isabellechristo — Thu, 11 Jan 2018 20:41:00 GMT

I would like to adjust the timestamp in the new index

Re: Modification of _time value

somesoni2 — Thu, 11 Jan 2018 20:46:15 GMT

You can use summary indexing method (collect command or by scheduling a search and enabling summary indexing) to send your Index1 data to Index2. In your search, you'd manipulate your _time before sending (adding 1 year). A sample search (using collect command) could be like this:

index=Index1 sourcetype=yoursourcetype
| eval _time=relative_time(_time,"+1y")
| collect index=Index2

See more info on collect command here:

http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Collect

Re: Modification of _time value

isabellechristo — Thu, 11 Jan 2018 21:03:27 GMT

and if I want to put in _time an other value than _time like by example in _time I would to put a date witch is not _time . Is it possible ?

Re: Modification of _time value

micahkemp — Thu, 11 Jan 2018 21:15:50 GMT

While using the collect command to change the timestamp, consider the discussion on this recent answers post.

It doesn't seem as simple as setting a new _time value before piping to collect.

Re: Modification of _time value

somesoni2 — Thu, 11 Jan 2018 21:30:43 GMT

You should be able to manipulate _time within the compound of eval command and available values/function in your Splunk. If you can describe what kind of changes exactly you're planning to make, we can have a look at it's feasibility.