Archive

Use of _indextime field in table or stats command

New Member

Hi All

How can I use _indextime field in table or stats command without renaming or converting it.

Not working
Ex: * | table host source sourcetype _time _indextime _raw

Its working if I rename the _indextime or convert the _indextime, But I want the results with _indextime as field

Working
Ex: * | eval indextime=_indextime | table host source sourcetype _time indextime _raw

Thank you

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Hi @rakshithreddy,

_indextime is an internal filed and a hidden field, it will not be displayed in search results unless renamed or used with an eval.

So whenever you eval _indextime it will work.

Please refer below document for more information.

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Usedefaultfields

Thanks
Happy Splunking

0 Karma

New Member

Hello

Thanks for reply

We can display _raw , _time not _indextime & not sure why

0 Karma

SplunkTrust
SplunkTrust

Hi @rakshithreddy,

Good question.

_raw and _time is NOT hidden field.

The _raw field contains the original raw data of an event. The search command uses the data in _raw when performing searches and data extraction.

The _time field contains an event's timestamp expressed in Unix time. This field is used to create the event timeline in Splunk Web.

_indextime is a hidden field that's why we have to eval _indextime to make in use.

🙂

Thanks

0 Karma

New Member

Good to know,
But I was looking for anyway if we cheat this thing.

Thank you

0 Karma

SplunkTrust
SplunkTrust

Hi @rakshithreddy,

Yes, for you I have a trick but in configuration.

If we set EVAL in props.conf then we don't need eval in any search in the app.

Just put below configuration in props.conf.

[MY_SOURCETYPE]
EVAL-indextime=_indextime

Search:

sourcetype=MY_SOURCETYPE | table _time indextime

Thanks
Happy Splunking.

0 Karma

Ultra Champion

Try please - base search | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime

0 Karma

New Member

thanks for reply,

I want it to be -
base search | table _indextime, the field name should be _indextime as i am sending these results to an external application & that application can only detect if its _indextime

0 Karma

Motivator

I think you're out of luck. You can't display exact "_indextime" as the output will always filter.

You can fake it and put in a space though.

index=_internal | rename _indextime AS " _indextime"| table host " _indextime"

Notice the space in the quotes.

0 Karma

Ultra Champion

No luck -

alt text

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!