Other Usage

Any suggestions on how to use my _time field to index instead the search start time?

vik
Explorer

Hi Guys... 

 

I have a scheduled search (Report) running a query with earliest=-2h@m latest=now. I have redirected the output to a Summary index. However, the output is The output is being redirected to the index but has the _time as the begining of the search time. 

 

The output has _time field from the search I run but this field is not being considered while indexing the data. Any suggestions on how to use my _time field to index instead the search start time. 

 

Thanks in advance

Tags (1)
0 Karma
1 Solution

PickleRick
SplunkTrust
SplunkTrust

You needlessly cast _time to string with strftime at the end of your search. Just do

| eval _time=Time/1000

Oh, and if Splunk treats your Time variable as text, you'll have to convert it to number

| eval _time=tonumber(Time)/1000

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

_time would normally be added to the summary index, provided it is in epoch format.

If it is still in epoch format and not working, please share your search in a code block </> so we can see if there is something else which might be causing your issue.

0 Karma

vik
Explorer

@ITWhisperer  Yes, I am populating the data in the _time field. I can see timestamp in _time in the output but it does not seem to use "_time" field for indexing. I tried both epoch and formatting like below. 

 

| makeresults
| eval moduleName="".module.""
| eval uri="<<<URL>>>"
| eval header="<<<Header INFO>>>"
| curl method=get headerfield=header urifield=uri
| spath input=curl_message
| table "result{}.metricId" "result{}.data{}.values{}" "result{}.data{}.timestamps{}" moduleName
| rename "result{}.data{}.values{}" as "Failures"
| rename "result{}.data{}.timestamps{}" as "Time"
| eval tmp_field = mvzip(Failures, Time, "-|-")
| fields tmp_field moduleName
| mvexpand tmp_field
| makemv delim="-|-" tmp_field
| eval Failures = mvindex(tmp_field, 0)
| eval Time = mvindex(tmp_field, 1)
| eval _time=strftime((Time/1000),"%Y-%m-%dT%H:%M:%S.%Q")
| fields - tmp_field Time
| search Failures!=null
| table _time moduleName Failures

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You needlessly cast _time to string with strftime at the end of your search. Just do

| eval _time=Time/1000

Oh, and if Splunk treats your Time variable as text, you'll have to convert it to number

| eval _time=tonumber(Time)/1000
0 Karma

vik
Explorer

Thanks @PickleRick using tonumber helped! I am now able to index the data using the timestamp returned as part of my search. 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vik ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @vik,

could you share your search?

did you expressed the _time in the fields outputted in the results?

Ciao.

Giuseppe

0 Karma

vik
Explorer

@gcusello  Yes, I am populating the data in the _time field. I can see timestamp in _time in the output but it does not seem to use "_time" field for indexing. I tried both epoch and formatting like below. 

 

| makeresults
| eval moduleName="".module.""
| eval uri="<<<URL>>>"
| eval header="<<<Header INFO>>>"
| curl method=get headerfield=header urifield=uri
| spath input=curl_message
| table "result{}.metricId" "result{}.data{}.values{}" "result{}.data{}.timestamps{}" moduleName
| rename "result{}.data{}.values{}" as "Failures"
| rename "result{}.data{}.timestamps{}" as "Time"
| eval tmp_field = mvzip(Failures, Time, "-|-")
| fields tmp_field moduleName
| mvexpand tmp_field
| makemv delim="-|-" tmp_field
| eval Failures = mvindex(tmp_field, 0)
| eval Time = mvindex(tmp_field, 1)
| eval _time=strftime((Time/1000),"%Y-%m-%dT%H:%M:%S.%Q")
| fields - tmp_field Time
| search Failures!=null
| table _time moduleName Failures

0 Karma
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.

Can’t make it to .conf25? Join us online!

Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...