When I search with particular sourcetype, I get all the data and fields which are extracted are shown on the left side of the flashtimeline. But I'm not getting default fields like datemonth, datehour in interesting field section. Am I missing anything here?
Which specific fields are you missing? Just the
date_* fields? Because these are not available for all sources, for instance they are not present for Windows event logs, among others.
date_* fields and some timeendpos, timestartpos fields. I've loaded sharepoint logs. For the same logs in previous indexer they were visible. But in new indexer i've loaded same logs but they're not visible.
Seems like fields related to the time processor. In event logs at least these are not included because the time processor is not invoked in the same way as regular file monitor based inputs. You could always recreate the
date_* fields using
"Seems like fields related to the time processor. In event logs at least these are not included because the time processor is not invoked in the same way as regular file monitor based inputs."
I didn't understand this.If possible can u explain me in simple language?
i faced the same problem when i extracted the time from the log instead of using the Splunk's event timings. However as "AYN" suggested, you can use strftime to get those fields. It's pretty easy.
Your search|eval datemday=strftime(time,"%d")|eval datemonth=strftime(time,"%b")|table datemday,datemonth
By this way you will be able to use them at search time for charting/stats related queries.
If i run search like this
sourcetype="INSPRODSP" |eval datemday=strftime(time,"%d")|eval datemonth=strftime(time,"%b")|table datemday,datemonth
INSPRODSP has my all data, if run above query will this affect the existing timestamp of indexed events?
Or it'll just give me the default fields ?
I'm asking this because, I just want to make sure that above query will not affect the existing indexed data!!