bad _time in summary index or collect command

splunkj900 · ‎12-22-2011

hey
i have a data source of csv type, generated from a script that runs every 1 minute.
the data has "time" field, which is in dd/mm/yyyy hh:mi format, and everything works great.
when i create a summmary index that runs every 5 minutes, using the web interface, or use a collect command to do it manually one time, i have the following problem :

the time fields that splunk shows the data according to is _time which gets the time of the summary/collect runtime, and not the time of the data under it.

for example

say my data is

time country counter
20/12/2011 15:50 canada 50
20/12/2011 15:51 canada 60
20/12/2011 15:52 canada 60
20/12/2011 15:50 spain 11
20/12/2011 15:51 spain 11
20/12/2011 15:52 spain 11

i would like to aggregate the data by time only so i would have

time counter
20/12/2011 15:50 61
20/12/2011 15:51 71
20/12/2011 15:52 71

by doing
index=x source=y | stats sum(counter) by time

when i do this search in the web interface everything is ok, but when i schedule this to be a summary index or do pipe it to a collect command i get this :

_time time counter
12/22/11 3:55:00.00 PM 20/12/2011 15:50 61
12/22/11 3:55:00.00 PM 20/12/2011 15:51 61
12/22/11 3:55:00.00 PM 20/12/2011 15:52 61

and the data is shown according to the _time field.
i've tried all kinds of tricks like setting the _time with eval, doing addtime=f in the collect, and nothing works.

splunk version is 4.2.4
thanks

imrago · ‎12-22-2011

You could try to write also the _time field into SI.

... | stats sum(counter) by time | ... | table _time field1 field2 ... fieldn

splunkj900 · ‎12-22-2011

if i do that i get _time empty when i do my search, and when i use collect on it and search the result, i get the same thing, _time has the time of the collect.
why is the field _time not getting the value in time?

DalJeanis · ‎06-22-2017

index=x source=y | stats sum(counter) by time | rename time as _time