How can I use _indextime field in table or stats command without renaming or converting it.
Ex: * | table host source sourcetype _time _indextime _raw
Its working if I rename the _indextime or convert the _indextime, But I want the results with _indextime as field
Ex: * | eval indextime=_indextime | table host source sourcetype _time indextime _raw
_indextime is an internal filed and a hidden field, it will not be displayed in search results unless renamed or used with an
So whenever you
_indextime it will work.
Please refer below document for more information.
_time is NOT hidden field.
_raw field contains the original raw data of an event. The search command uses the data in
_raw when performing searches and data extraction.
_time field contains an event's timestamp expressed in Unix time. This field is used to create the event timeline in Splunk Web.
_indextime is a hidden field that's why we have to eval
_indextime to make in use.
Yes, for you I have a trick but in configuration.
If we set EVAL in
props.conf then we don't need eval in any search in the app.
Just put below configuration in props.conf.
sourcetype=MY_SOURCETYPE | table _time indextime
thanks for reply,
I want it to be -
base search | table _indextime, the field name should be _indextime as i am sending these results to an external application & that application can only detect if its _indextime
I think you're out of luck. You can't display exact "_indextime" as the output will always filter.
You can fake it and put in a space though.
index=_internal | rename _indextime AS " _indextime"| table host " _indextime"
Notice the space in the quotes.