How to assign search_now value with info_max_time in _raw?

LearningGuy — Thu, 07 Mar 2024 18:56:00 GMT

Hello,

How to assign search_now value with info_max_time in _raw?

I am trying to push "past" data using collect command into summary index.
I want to use search_now as a baseline time

I appreciate your help. Thank you

Here's my attempt using some code from @bowesmana , but it gave me duplicate search_now:

index=original_index | addinfo | eval _raw=printf("search_now=%d", info_max_time) | foreach "*" [| eval _raw = _raw.case(isnull('<<FIELD>>'),"", mvcount('<<FIELD>>')>1,", <<FIELD>>=\"".mvjoin('<<FIELD>>',"###")."\"", true(), ", <<FIELD>>=\"".'<<FIELD>>'."\"") | fields - "<<FIELD>>" ] | collect index=summary testmode=false file=summary_test_1.stash_new name=summary_test_1" marker="report=\"summary_test_1\""

Re: How to assign search_now value with info_max_time in _raw?

LearningGuy — Thu, 07 Mar 2024 18:55:35 GMT

I think I figured it out

index=original_index | addinfo | eval search_now=info_max_time | eval _raw=printf("_time=%d", info_min_time) | foreach "*" [| eval _raw = _raw.case(isnull('<<FIELD>>'),"", mvcount('<<FIELD>>')>1,", <<FIELD>>=\"".mvjoin('<<FIELD>>',"###")."\"", true(), ", <<FIELD>>=\"".'<<FIELD>>'."\"") | fields - "<<FIELD>>" ] | collect index=summary testmode=false file=summary_test_1.stash_new name=summary_test_1" marker="report=\"summary_test_1\""

topic Re: How to assign search_now value with info_max_time in _raw? in Splunk Search

How to assign search_now value with info_max_time in _raw?

Re: How to assign search_now value with info_max_time in _raw?