Knowledge Management

How to get time value into summary index data?

Explorer

I am currently generating a summary index using the following saved search.

sourcetype=mail | sistats count as sbj_count by subject

Which I am accessing it using:

summaryindex=myindex report=report_for_this_search | stats count as sbj_count by subject

This works however I need an _time value which this does not have. I try to create one by changing the saved search, based on the documentation for summary indexing without a timestamp to

sourcetype=mail | sistats count as sbj_count by subject | eval _time=now()

and accessing it using

summaryindex=myindex report=report_for_this_search | stats count as sbj_count by subject | eval _time=now() | table _time,subject,sbj_count

Which produces the _time values as the time of my search rather than the time of the search which generated the summary index. How do I get the _time value to be the time that the summary index event ran rather than when I searched the summary index?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Change your summary index search like this

sourcetype=mail | eval _time=now() | sistats count as sbj_count by subject _time

And access it like this

index=myindex report=report_for_this_search | stats count as sbj_count by subject _time

View solution in original post

SplunkTrust
SplunkTrust

Change your summary index search like this

sourcetype=mail | eval _time=now() | sistats count as sbj_count by subject _time

And access it like this

index=myindex report=report_for_this_search | stats count as sbj_count by subject _time

View solution in original post

Explorer

Thank you, this worked well. This method of doing it makes more sense now that I think about it.

0 Karma

Splunk Employee
Splunk Employee

Try adding _time to the by clause in your sistats command:

sourcetype=mail | sistats count as sbj_count by subject, _time

To test it out first, just use the regular stats command to ensure you get what you expect:

sourcetype=mail | stats count as sbj_count by subject, _time

Depending on what your data looks like you may have multiple timestamps to deal with, so something like | stats max(_time) AS _time may also be helpful if you want the last timestamp. Would likely then need to convert the epoch to human readable. Really depends what the data looks like and what your desired outcome is. Feel free to post a couple example events to allow us to help further.

Explorer

Thank you for the response, this would work for most people who are trying to group by the time of the event, and works if I trasnform the time using the command given below. Thank you for the response though!

0 Karma

Splunk Employee
Splunk Employee

ah! I re-read your post and see what you mean now! Glad Somesoni2 got you sorted!

0 Karma