Splunk Dev

Reconfiguring timestamp to match csv row, not indexing time

jamesandy51
Explorer

alt text

Hi! I am attaching a screenshot of my query as the problem is immediately apparent. I am searching only for dates 1/14-1/18. I have data in Splunk that has a "day" and "hour" column, and I want that to be the source of truth for my dates. I think Splunk is ignoring them and setting a timestamp based on time of index. Can you please tell me how to troubleshoot configuring the timestamp? As you can see, I am trying to display _time or timestamp but these are not even selected fields. How do I make my query only contain the dates within my selected range (excluding 1/04, 1/07, etc.)

Tags (1)
0 Karma

Vijeta
Influencer

you could instead of day use _time and get the actual date from _time.
eval date = strftime(_time,"%Y-%m-%d")

0 Karma

jamesandy51
Explorer

Sorry, not sure I understand your suggestion. You can see that _time is empty in my table, so using that field returns no results. "day" is a column header in my data which has the timestamp I want to use, so I definitely want that field included in my query.

0 Karma

Vijeta
Influencer

_time by default is never empty it always has timestamps. In your table it is empty because you are using stats by day and not by _time. The result of your stats is table with reqs and day field. So you cannot see _time field as its already removed by stats command

0 Karma

jamesandy51
Explorer

Even if I use _time, it is still returning results from the days outside of my selected time range. How do I make the time range apply to the dates that I want? I have it now so that eval _time is returning the correct dates, but the results are still being returned are still all of the ones indexed during those dates.

0 Karma

Vijeta
Influencer

The time range looks time from _time , so if you select time from 14th jan to 18th jan, it will pick time from _time from that range only. Try below search

  network="client"  venue_id IN(venue_name)| bin span=1d _time| stats sum(req_spots) as req by _time| fields _time  reqs
0 Karma

jamesandy51
Explorer

Sorry, but as I explained this will not work. This query groups all the requests between 1/04-1/15 into the 1/15 timestamp. This is because all of this data was indexed on 1/15. I do not want the _time to look at when the data was indexed. I want it to look at the timestamp within the csv.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...