Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Why is the _time value changing in the summary index?

Wendy1990
New Member
‎06-26-2015 07:40 AM

I try to use summary indexing to improve search efficiency, but it's resulting in an error because of the wrong _time value.
Event timestamp 6/9/15 10:59:54.960 PM is reset to 6/9/15 12:00:00.000 AM in the summary index.

My original search string is: 

sourcetype="ims*" host="chi*" FirmName!="Eze" FirmName!="(null)" | timechart useother=f count by FirmName

My saved search name is "firmtimechart"
Start time is "-6mon@s"
Finish time is "now"
Saved search string is: 

sourcetype="ims*" host="chi*" FirmName!="Eze" FirmName!="(null)" | sitimechart useother=f count by FirmName

My search string is:

index=summary search_name="firmtimechart" | timechart limit=5 useother=f count by FirmName

I wonder why the timestamp is changing and how to solve it.

0 Karma
Reply

pacrip
Path Finder
‎02-13-2018 07:35 AM

I think this is an issue with the way the timechart command is transforming the data. As you are looking over a large time range (6 months) the events are being bucketed into 1 day chunks so that they can be displayed nicely. You can test this by looking at the statistics tab after running the search using non-si commands and looking at the _time field in the returned events

If this isnt the desired behavior you could look at using a stats command instead to avoid any of the timestamp changes associated with timechart but at the end of the day the whole point of summary indexing is to summarise the data over a period so it makes sense to keep it bucketed as it is.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...