Archive

Modification of _time value

New Member

Hello,

When I create a new index with an old index I would like to have an _time with a time different than the time of the day that I create my index.

Is it possible ?

Tags (1)
0 Karma

Champion

While using the collect command to change the timestamp, consider the discussion on this recent answers post.

It doesn't seem as simple as setting a new _time value before piping to collect.

0 Karma

Champion

Can you rephrase the question? It's unclear (at least to me) what it is you're asking.

0 Karma

New Member

By exemple :

Index1 : _raw with _time 01/01/2017

index2 is creating on 01/01/2018 and I would like to have in _raw 01/01/2017 for _time

it is for having in presets a value of research that I can have for the data in the initial index.

0 Karma

SplunkTrust
SplunkTrust

Are you ingesting (or planning to ingest) same data in both the index? If yes, from where are you getting this data? OR you've data in Index1 and just want to replicate same data but adjusted timestmap in Index2?

0 Karma

New Member

I would like to replicate same data but adjusted timestamp in index2

0 Karma

SplunkTrust
SplunkTrust

You can use summary indexing method (collect command or by scheduling a search and enabling summary indexing) to send your Index1 data to Index2. In your search, you'd manipulate your _time before sending (adding 1 year). A sample search (using collect command) could be like this:

index=Index1 sourcetype=yoursourcetype
| eval _time=relative_time(_time,"+1y")
| collect index=Index2

See more info on collect command here:

http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Collect

0 Karma

New Member

and if I want to put in _time an other value than _time like by example in _time I would to put a date witch is not _time . Is it possible ?

0 Karma

SplunkTrust
SplunkTrust

You should be able to manipulate _time within the compound of eval command and available values/function in your Splunk. If you can describe what kind of changes exactly you're planning to make, we can have a look at it's feasibility.

0 Karma

Champion

Timestamps aren't a function of the index, they are a function of the sourcetype.

Do you want to index different event formats with different time formats?

0 Karma

New Member

I would like to adjust the timestamp in the new index

0 Karma