topic Re: Using a different field for time in Splunk Search

How to use a different field for time?

HWalk1 — Thu, 07 Apr 2022 15:38:23 GMT

Hi All! The data I am pulling is coming from nodes in multiple time zones. I want to use that time zone instead of Splunk's time field. The correct time data is already being pulled in a NodeTime field but I cannot figure out how to use that field instead of Splunk's time field. Any ideas? TIA for the help!

Re: Using a different field for time

richgalloway — Thu, 07 Apr 2022 13:07:46 GMT

The time picker and the earliest and latest keywords only use the _time field. There is no way to change that. You can, however, filter on the NodeTime field yourself (after any necessary conversions) using something like | where NodeTime < foo.

It sounds like the data is not being onboarded as well as it could be. If NodeTime is the best time field then that is what the props.conf settings for the sourcetype should be using for _time. We can help fix that, if you like.

Re: Using a different field for time

HWalk1 — Thu, 07 Apr 2022 13:45:07 GMT

So I am using the below query in a dashboard. I have a time range picker on the dashboard as well. I want the people who use the dash to be able to pick the time and have it be from the NodeTime field rather than splunk's time field. What you're saying is that the data should be onboarded using that field for _time? Or is there a different way to accomplish this?

index=*SYSTEM* sourcetype=logactivity host=apac type= "Access granted" portalname=APAC*
|dedup personkey
|chart dc(personkey)

Re: Using a different field for time

richgalloway — Thu, 07 Apr 2022 14:36:30 GMT

If NodeTime is the preferred field to use then the data should be onboarded using that field as _time. If it is only one field that can be used then another method is needed.

index=*SYSTEM* sourcetype=logactivity host=apac type= "Access granted" portalname=APAC* ```Get the search's time range``` | addinfo ```Convert NodeTime into epoch form``` | eval eNodeTime = strptime(NodeTime, "<<format string>>") ```See if NodeTime falls inside the selected time window``` | where eNodeTime >= info_min_time AND eNodeTime <= info_max_time | dedup personkey | chart dc(personkey)

Re: Using a different field for time

PickleRick — Thu, 07 Apr 2022 18:33:40 GMT

In Splunk _time is the most important field of them all 😉

It's the single most effective method of speeding up your search - by narrowing your timerange.

And the process of onboarding new source should include analysis where should Splunk get the event's timestamp (the _time value) from. Sometimes the appropriate timestamp is the moment when forwarder receives the data (for example when a log file doesn't contain any time-related information whatsoever). Sometimes the time is explicitly given in a "header" file of the event (like with most syslog messages). But sometimes the event can contain many different bits of time-related info.

For example you might have a transaction start, end and a request timestamp along with a timestamp from the logging system. All within the same event. And it's a part of the onboarding process to decide which of these timestamps is the "true" event's timestamp and which should be extracted as the _time field. This will be the one that events are by default ordered by and it's the one that you can easily limit search timerange with timepicker or earliest/latest condition. And this one works very fast.

You can have also other time containing fields extracted but you can't easily limit your search the way you do with _time. With those fields you have to search for some superset of your events and filter it by the | where clause.