When I create a new index with an old index I would like to have an _time with a time different than the time of the day that I create my index.
Is it possible ?
By exemple :
Index1 : _raw with _time 01/01/2017
index2 is creating on 01/01/2018 and I would like to have in _raw 01/01/2017 for _time
it is for having in presets a value of research that I can have for the data in the initial index.
Are you ingesting (or planning to ingest) same data in both the index? If yes, from where are you getting this data? OR you've data in Index1 and just want to replicate same data but adjusted timestmap in Index2?
You can use summary indexing method (collect command or by scheduling a search and enabling summary indexing) to send your Index1 data to Index2. In your search, you'd manipulate your _time before sending (adding 1 year). A sample search (using collect command) could be like this:
index=Index1 sourcetype=yoursourcetype | eval _time=relative_time(_time,"+1y") | collect index=Index2
See more info on collect command here:
You should be able to manipulate _time within the compound of eval command and available values/function in your Splunk. If you can describe what kind of changes exactly you're planning to make, we can have a look at it's feasibility.