- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Knowledge Management
- :
- How to get time value into summary index data?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am currently generating a summary index using the following saved search.
sourcetype=mail | sistats count as sbj_count by subject
Which I am accessing it using:
summaryindex=myindex report=report_for_this_search | stats count as sbj_count by subject
This works however I need an _time value which this does not have. I try to create one by changing the saved search, based on the documentation for summary indexing without a timestamp to
sourcetype=mail | sistats count as sbj_count by subject | eval _time=now()
and accessing it using
summaryindex=myindex report=report_for_this_search | stats count as sbj_count by subject | eval _time=now() | table _time,subject,sbj_count
Which produces the _time values as the time of my search rather than the time of the search which generated the summary index. How do I get the _time value to be the time that the summary index event ran rather than when I searched the summary index?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change your summary index search like this
sourcetype=mail | eval _time=now() | sistats count as sbj_count by subject _time
And access it like this
index=myindex report=report_for_this_search | stats count as sbj_count by subject _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Change your summary index search like this
sourcetype=mail | eval _time=now() | sistats count as sbj_count by subject _time
And access it like this
index=myindex report=report_for_this_search | stats count as sbj_count by subject _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you, this worked well. This method of doing it makes more sense now that I think about it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try adding _time to the by clause in your sistats command:
sourcetype=mail | sistats count as sbj_count by subject, _time
To test it out first, just use the regular stats command to ensure you get what you expect:
sourcetype=mail | stats count as sbj_count by subject, _time
Depending on what your data looks like you may have multiple timestamps to deal with, so something like | stats max(_time) AS _time may also be helpful if you want the last timestamp. Would likely then need to convert the epoch to human readable. Really depends what the data looks like and what your desired outcome is. Feel free to post a couple example events to allow us to help further.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the response, this would work for most people who are trying to group by the time of the event, and works if I trasnform the time using the command given below. Thank you for the response though!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ah! I re-read your post and see what you mean now! Glad Somesoni2 got you sorted!
Technical Workshop Series: Splunk Data Management and SPL2 | Register here!
Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk
Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability
