topic Re: How to use info_max_time as _time? in Splunk Search

How to use info_max_time as _time?

the_wolverine — Wed, 17 Oct 2012 22:00:50 GMT

I'm running a search where I perform a rename of another time field to _time:

mysummarysearch | rename info_max_time as _time

It works as a simple search but if I try to do anything bolder, like use it in a subsearch and append to another search, I lose the results of the subsearch entirely (only the results of the outer search are returned.)

Re: How to use info_max_time as _time?

bmacias84 — Mon, 28 Sep 2020 12:38:37 GMT

Why not rename info_max_time as another name rather than using _time? Personally I've noticed quarky thing when renaming field to metadata fields when performing complex searches. Another question in your outer search are you using "...| fields ," before performing a subsearch or append?

Re: How to use info_max_time as _time?

the_wolverine — Wed, 17 Oct 2012 23:42:38 GMT

Yeah, I'm seeing odd behavior as well but I'm not sure how I would timechart this if I don't use _time?

My outersearch is just (filtered) events, all fields. I'm trying to combine 2 sources of data so I can timechart them all based on _time.

Re: How to use info_max_time as _time?

dbryan — Thu, 18 Oct 2012 00:12:49 GMT

Are you trying to rename it as _time so that Splunk uses it as the time of the event? In my experience I haven't had any success getting Splunk to treat a different field as the native time of the event at search time.

Re: How to use info_max_time as _time?

the_wolverine — Mon, 28 Sep 2020 12:38:39 GMT

Yes, it works! But only as a simple search:

search | rename info_max_time as _time

However if I want to subsearch that, Splunk doesn't agree with me.

Re: How to use info_max_time as _time?

sideview — Thu, 18 Oct 2012 06:48:22 GMT

Can you post the subsearch where you were attempting to use the _time values as arguments to the outer search? If you use time arguments in the search clause you have to use the earliest and latest search terms, ie earliest=-24h, or earliest=1350408576. So really if you want to use them as search arguments you need to rename them to earliest and latest...

Re: How to use info_max_time as _time?

bmacias84 — Mon, 28 Sep 2020 12:38:59 GMT

I haved used the following instead of using timechart.



mysummarysearch | rename info_max_time as ctime | chart span=5m max(mycount) as "Max Count" over ctime  by host



mysummarysearch | rename info_max_time as ctime | stats max(cpu) as mcpu, stdev(cpu) as scpu | fields ctime, mcpu, scpu

Re: How to use info_max_time as _time?

the_wolverine — Thu, 18 Oct 2012 22:49:38 GMT

Thanks for all the suggestions! I have to use a specific start time for my use case -- but based on the suggestions in comments, I've gotten this to work:

Here is my query with subsearch

[search index=summary marker=abc earliest=1350595800 | rename info_max_time as _time | format maxresults=0 ] OR index=main sourcetype=xyz OR sourcetype=123 earliest=1350595800 | timechart span=10m count(eval(sourcetype=="abc")) as XYZ count(eval(sourcetype=="123")) as 123 count(eval(marker=="abc")) as ABC