topic Re: Use of _indextime field in table or stats command in Splunk Search

Use of _indextime field in table or stats command

rakshithreddy — Tue, 31 Oct 2017 23:04:47 GMT

Hi All

How can I use _indextime field in table or stats command without renaming or converting it.

Not working
Ex: * | table host source sourcetype _time _indextime _raw

Its working if I rename the _indextime or convert the _indextime, But I want the results with _indextime as field

Working
Ex: * | eval indextime=_indextime | table host source sourcetype _time indextime _raw

Thank you

Re: Use of _indextime field in table or stats command

ddrillic — Tue, 31 Oct 2017 23:24:35 GMT

Try please - base search | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime

Re: Use of _indextime field in table or stats command

rakshithreddy — Tue, 31 Oct 2017 23:35:07 GMT

thanks for reply,

I want it to be -
base search | table _indextime, the field name should be _indextime as i am sending these results to an external application & that application can only detect if its _indextime

Re: Use of _indextime field in table or stats command

Lucas_K — Tue, 31 Oct 2017 23:51:34 GMT

I think you're out of luck. You can't display exact "_indextime" as the output will always filter.

You can fake it and put in a space though.

index=_internal | rename _indextime AS " _indextime"| table host " _indextime"

Notice the space in the quotes.

Re: Use of _indextime field in table or stats command

ddrillic — Wed, 01 Nov 2017 00:57:45 GMT

No luck -

Re: Use of _indextime field in table or stats command

kamlesh_vaghela — Wed, 01 Nov 2017 18:17:56 GMT

Hi @rakshithreddy,

_indextime is an internal filed and a hidden field, it will not be displayed in search results unless renamed or used with an eval.

So whenever you eval _indextime it will work.

Please refer below document for more information.

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Usedefaultfields

Thanks
Happy Splunking

Re: Use of _indextime field in table or stats command

rakshithreddy — Wed, 01 Nov 2017 18:34:18 GMT

Hello

Thanks for reply

We can display _raw , _time not _indextime & not sure why

Re: Use of _indextime field in table or stats command

kamlesh_vaghela — Wed, 01 Nov 2017 18:41:14 GMT

Hi @rakshithreddy,

Good question.

_raw and _time is NOT hidden field.

The _raw field contains the original raw data of an event. The search command uses the data in _raw when performing searches and data extraction.

The _time field contains an event's timestamp expressed in Unix time. This field is used to create the event timeline in Splunk Web.

_indextime is a hidden field that's why we have to eval _indextime to make in use.

🙂

Thanks

Re: Use of _indextime field in table or stats command

rakshithreddy — Wed, 01 Nov 2017 19:00:10 GMT

Good to know,
But I was looking for anyway if we cheat this thing.

Thank you

Re: Use of _indextime field in table or stats command

kamlesh_vaghela — Wed, 01 Nov 2017 19:13:00 GMT

Hi @rakshithreddy,

Yes, for you I have a trick but in configuration.

If we set EVAL in props.conf then we don't need eval in any search in the app.

Just put below configuration in props.conf.

[MY_SOURCETYPE]
EVAL-indextime=_indextime

Search:

sourcetype=MY_SOURCETYPE | table _time indextime

Thanks
Happy Splunking.