Archive

Collect's addtime=true/false : What does it do?

Champion

I've got certain events that I want to send to collect. I see the addtime option (defaults to true). What does it do?

My assumption was that setting it to false (addtime=f) uses the _time of the original event, but that doesn't seem to be the case. No matter what I use, t or f, I get a timestamp of the current time when my search was piped to collect. For example:

mysearch for two files | diff | collect index=summary addtime=f

(The search outputs just fine with the correct date when I append | addinfo to the end of the search above.)

Splunk version 4.1.4.

0 Karma

Splunk Employee
Splunk Employee

First of all, the option only has an effect if the results going into collect do not have a _raw field, i.e., usually output of (si)stats or (si)timechart. If you're using the diff command, I expect you would have a _raw field, so it doesn't do anything.

In the case where there is no _raw field, specifiying addtime=f will have Splunk go through it's generic date detection against fields in whatever order they happen to be in the summary rows (usually lexicographic by field name). Using addtime=t ensures that the search time range info_min_time (which is added by sistats) or _time in the summary data gets used instead.

Champion

Thanks for the response. Is there some other way to inject my diff result into the index?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!