Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

collecting data from kvstore to index

mintucs
New Member
‎05-22-2018 04:52 AM

while i am collecting from kv store to index

|inputlookup amkc | collect index="game"

the index having time as current time how could we can sync _time with kv store time field

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎05-22-2018 09:30 AM

Create a field _time explicitly, and assigned the epoch value of your kv time field.

If your timeField from kvstore is already in epoch format, try like this

|inputlookup amkc | eval _time=timeField | collect index="game"

If your timeField from kvstore is no in epoch format, use strftime function to do so, like this (assuming string time format of field timeField is %Y-%m-%d %H:%M:%S, update the same per your format)

|inputlookup amkc | eval _time=strftime(timeField,"%Y-%m-%d %H:%M:%S") | collect index="game"
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...