Other Usage

Any suggestions on how to use my _time field to index instead the search start time?

vik
Explorer

Hi Guys... 

 

I have a scheduled search (Report) running a query with earliest=-2h@m latest=now. I have redirected the output to a Summary index. However, the output is The output is being redirected to the index but has the _time as the begining of the search time. 

 

The output has _time field from the search I run but this field is not being considered while indexing the data. Any suggestions on how to use my _time field to index instead the search start time. 

 

Thanks in advance

Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

You needlessly cast _time to string with strftime at the end of your search. Just do

| eval _time=Time/1000

Oh, and if Splunk treats your Time variable as text, you'll have to convert it to number

| eval _time=tonumber(Time)/1000

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

_time would normally be added to the summary index, provided it is in epoch format.

If it is still in epoch format and not working, please share your search in a code block </> so we can see if there is something else which might be causing your issue.

0 Karma

vik
Explorer

@ITWhisperer  Yes, I am populating the data in the _time field. I can see timestamp in _time in the output but it does not seem to use "_time" field for indexing. I tried both epoch and formatting like below. 

 

| makeresults
| eval moduleName="".module.""
| eval uri="<<<URL>>>"
| eval header="<<<Header INFO>>>"
| curl method=get headerfield=header urifield=uri
| spath input=curl_message
| table "result{}.metricId" "result{}.data{}.values{}" "result{}.data{}.timestamps{}" moduleName
| rename "result{}.data{}.values{}" as "Failures"
| rename "result{}.data{}.timestamps{}" as "Time"
| eval tmp_field = mvzip(Failures, Time, "-|-")
| fields tmp_field moduleName
| mvexpand tmp_field
| makemv delim="-|-" tmp_field
| eval Failures = mvindex(tmp_field, 0)
| eval Time = mvindex(tmp_field, 1)
| eval _time=strftime((Time/1000),"%Y-%m-%dT%H:%M:%S.%Q")
| fields - tmp_field Time
| search Failures!=null
| table _time moduleName Failures

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You needlessly cast _time to string with strftime at the end of your search. Just do

| eval _time=Time/1000

Oh, and if Splunk treats your Time variable as text, you'll have to convert it to number

| eval _time=tonumber(Time)/1000
0 Karma

vik
Explorer

Thanks @PickleRick using tonumber helped! I am now able to index the data using the timestamp returned as part of my search. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vik ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vik,

could you share your search?

did you expressed the _time in the fields outputted in the results?

Ciao.

Giuseppe

0 Karma

vik
Explorer

@gcusello  Yes, I am populating the data in the _time field. I can see timestamp in _time in the output but it does not seem to use "_time" field for indexing. I tried both epoch and formatting like below. 

 

| makeresults
| eval moduleName="".module.""
| eval uri="<<<URL>>>"
| eval header="<<<Header INFO>>>"
| curl method=get headerfield=header urifield=uri
| spath input=curl_message
| table "result{}.metricId" "result{}.data{}.values{}" "result{}.data{}.timestamps{}" moduleName
| rename "result{}.data{}.values{}" as "Failures"
| rename "result{}.data{}.timestamps{}" as "Time"
| eval tmp_field = mvzip(Failures, Time, "-|-")
| fields tmp_field moduleName
| mvexpand tmp_field
| makemv delim="-|-" tmp_field
| eval Failures = mvindex(tmp_field, 0)
| eval Time = mvindex(tmp_field, 1)
| eval _time=strftime((Time/1000),"%Y-%m-%dT%H:%M:%S.%Q")
| fields - tmp_field Time
| search Failures!=null
| table _time moduleName Failures

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...