Getting Data In

Long running summary search and info_max_time vs info_min_time

the_wolverine
Champion

I'm running a summary search to calculate stats over 7 days. The summary is setting the timestamp as info_min_time. How can I get it to use info_max_time as the summary event timestamp?

Tags (2)
0 Karma

the_wolverine
Champion

I've halfway figured this one out. The searches span -7d to now and I'm backfilling 7 days. Splunk is using the info_min_time (first event used in stats) as the timestamp for the summary event.

Is there a way to get Splunk to use info_max_time as the summary timestamp? In the meantime, I am using a workaround of

| rename info_max_time as _time

Would be nice to be able to tell Splunk to use info_max_time as the timestamp when writing to summary.

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...