Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use of _indextime field in table or stats command

rakshithreddy
Explorer
‎10-31-2017 04:04 PM

Hi All

How can I use _indextime field in table or stats command without renaming or converting it.

Not working
Ex: * | table host source sourcetype _time _indextime _raw

Its working if I rename the _indextime or convert the _indextime, But I want the results with _indextime as field

Working
Ex: * | eval indextime=_indextime | table host source sourcetype _time indextime _raw

Thank you

Tags (1)
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-01-2017 11:17 AM

Hi @rakshithreddy,

_indextime is an internal filed and a hidden field, it will not be displayed in search results unless renamed or used with an eval.

So whenever you eval _indextime it will work.

Please refer below document for more information.

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Usedefaultfields

Thanks
Happy Splunking

0 Karma
Reply

rakshithreddy
Explorer
‎11-01-2017 11:34 AM

Hello

Thanks for reply

We can display _raw , _time not _indextime & not sure why

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-01-2017 11:41 AM

Hi @rakshithreddy,

Good question.

_raw and _time is NOT hidden field.

The _raw field contains the original raw data of an event. The search command uses the data in _raw when performing searches and data extraction.

The _time field contains an event's timestamp expressed in Unix time. This field is used to create the event timeline in Splunk Web.

_indextime is a hidden field that's why we have to eval _indextime to make in use.

🙂

Thanks

0 Karma
Reply

rakshithreddy
Explorer
‎11-01-2017 12:00 PM

Good to know,
But I was looking for anyway if we cheat this thing.

Thank you

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-01-2017 12:13 PM

Hi @rakshithreddy,

Yes, for you I have a trick but in configuration.

If we set EVAL in props.conf then we don't need eval in any search in the app.

Just put below configuration in props.conf.

[MY_SOURCETYPE]
EVAL-indextime=_indextime

Search:

sourcetype=MY_SOURCETYPE | table _time indextime

Thanks
Happy Splunking.

0 Karma
Reply

ddrillic
Ultra Champion
‎10-31-2017 04:24 PM

Try please - base search | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime

Reply

rakshithreddy
Explorer
‎10-31-2017 04:35 PM

thanks for reply,

I want it to be -
base search | table _indextime, the field name should be _indextime as i am sending these results to an external application & that application can only detect if its _indextime

0 Karma
Reply

Lucas_K
Motivator
‎10-31-2017 04:51 PM

I think you're out of luck. You can't display exact "_indextime" as the output will always filter.

You can fake it and put in a space though.

index=_internal | rename _indextime AS " _indextime"| table host " _indextime"

Notice the space in the quotes.

0 Karma
Reply

ddrillic
Ultra Champion
‎10-31-2017 05:57 PM

No luck -

alt text

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...