Other Usage

Any suggestions on how to use my _time field to index instead the search start time?

vik
Explorer

Hi Guys... 

 

I have a scheduled search (Report) running a query with earliest=-2h@m latest=now. I have redirected the output to a Summary index. However, the output is The output is being redirected to the index but has the _time as the begining of the search time. 

 

The output has _time field from the search I run but this field is not being considered while indexing the data. Any suggestions on how to use my _time field to index instead the search start time. 

 

Thanks in advance

Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

You needlessly cast _time to string with strftime at the end of your search. Just do

| eval _time=Time/1000

Oh, and if Splunk treats your Time variable as text, you'll have to convert it to number

| eval _time=tonumber(Time)/1000

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

_time would normally be added to the summary index, provided it is in epoch format.

If it is still in epoch format and not working, please share your search in a code block </> so we can see if there is something else which might be causing your issue.

0 Karma

vik
Explorer

@ITWhisperer  Yes, I am populating the data in the _time field. I can see timestamp in _time in the output but it does not seem to use "_time" field for indexing. I tried both epoch and formatting like below. 

 

| makeresults
| eval moduleName="".module.""
| eval uri="<<<URL>>>"
| eval header="<<<Header INFO>>>"
| curl method=get headerfield=header urifield=uri
| spath input=curl_message
| table "result{}.metricId" "result{}.data{}.values{}" "result{}.data{}.timestamps{}" moduleName
| rename "result{}.data{}.values{}" as "Failures"
| rename "result{}.data{}.timestamps{}" as "Time"
| eval tmp_field = mvzip(Failures, Time, "-|-")
| fields tmp_field moduleName
| mvexpand tmp_field
| makemv delim="-|-" tmp_field
| eval Failures = mvindex(tmp_field, 0)
| eval Time = mvindex(tmp_field, 1)
| eval _time=strftime((Time/1000),"%Y-%m-%dT%H:%M:%S.%Q")
| fields - tmp_field Time
| search Failures!=null
| table _time moduleName Failures

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You needlessly cast _time to string with strftime at the end of your search. Just do

| eval _time=Time/1000

Oh, and if Splunk treats your Time variable as text, you'll have to convert it to number

| eval _time=tonumber(Time)/1000
0 Karma

vik
Explorer

Thanks @PickleRick using tonumber helped! I am now able to index the data using the timestamp returned as part of my search. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vik ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vik,

could you share your search?

did you expressed the _time in the fields outputted in the results?

Ciao.

Giuseppe

0 Karma

vik
Explorer

@gcusello  Yes, I am populating the data in the _time field. I can see timestamp in _time in the output but it does not seem to use "_time" field for indexing. I tried both epoch and formatting like below. 

 

| makeresults
| eval moduleName="".module.""
| eval uri="<<<URL>>>"
| eval header="<<<Header INFO>>>"
| curl method=get headerfield=header urifield=uri
| spath input=curl_message
| table "result{}.metricId" "result{}.data{}.values{}" "result{}.data{}.timestamps{}" moduleName
| rename "result{}.data{}.values{}" as "Failures"
| rename "result{}.data{}.timestamps{}" as "Time"
| eval tmp_field = mvzip(Failures, Time, "-|-")
| fields tmp_field moduleName
| mvexpand tmp_field
| makemv delim="-|-" tmp_field
| eval Failures = mvindex(tmp_field, 0)
| eval Time = mvindex(tmp_field, 1)
| eval _time=strftime((Time/1000),"%Y-%m-%dT%H:%M:%S.%Q")
| fields - tmp_field Time
| search Failures!=null
| table _time moduleName Failures

0 Karma
Get Updates on the Splunk Community!

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...

Alerting Best Practices: How to Create Good Detectors

At their best, detectors and the alerts they trigger notify teams when applications aren’t performing as ...

Discover Powerful New Features in Splunk Cloud Platform: Enhanced Analytics, ...

Hey Splunky people! We are excited to share the latest updates in Splunk Cloud Platform 9.3.2408. In this ...