Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to setup summary index using existing date field in data

manjuase
Explorer
‎12-29-2016 03:18 AM

Hi -

I have saved search returning events from past one year as below

ReadDate Count
20161101 500
20161102 550
.
.
.
.
20161228 800
20161229 900
.

and i have populated this data in to summary index however all this data is indexed with current data instead i want all this data to be indexed based on the ReadDate field. Hence tried setting up _time to ReadDate but results are not successful. Any suggestions how to achieve this please?

Thanks in Advance.

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎12-29-2016 06:57 AM

Try like this

your current saved search giving field ReadDate, Count
| eval _time=strptime(ReadDate,"%Y%m%d")
Reply

manjuase
Explorer
‎01-01-2017 11:26 PM

Hi,

Thanks for your reply....

It is working....

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Classroom Chronicles: Training Tales and Testimonials (Episode 2)

Welcome to the "Splunk Classroom Chronicles" series, created to help curious, career-minded learners get ...

Index This | I am a number but I am countless. What am I?

January 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  Happy New Year! We’re ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

PLATFORM TECH TALKS What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Thursday, February 27, ...