Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Any suggestions on how to use my _time field to index instead the search start time?

vik
Explorer
‎04-07-2023 01:40 PM

Hi Guys... 

 

I have a scheduled search (Report) running a query with earliest=-2h@m latest=now. I have redirected the output to a Summary index. However, the output is The output is being redirected to the index but has the _time as the begining of the search time. 

 

The output has _time field from the search I run but this field is not being considered while indexing the data. Any suggestions on how to use my _time field to index instead the search start time. 

 

Thanks in advance

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-10-2023 11:42 AM

You needlessly cast _time to string with strftime at the end of your search. Just do

| eval _time=Time/1000

Oh, and if Splunk treats your Time variable as text, you'll have to convert it to number

| eval _time=tonumber(Time)/1000

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-08-2023 03:39 AM

_time would normally be added to the summary index, provided it is in epoch format.

If it is still in epoch format and not working, please share your search in a code block </> so we can see if there is something else which might be causing your issue.

0 Karma
Reply
Solved! Jump to solution

vik
Explorer
‎04-10-2023 10:43 AM

@ITWhisperer  Yes, I am populating the data in the _time field. I can see timestamp in _time in the output but it does not seem to use "_time" field for indexing. I tried both epoch and formatting like below. 

 

| makeresults
| eval moduleName="".module.""
| eval uri="<<<URL>>>"
| eval header="<<<Header INFO>>>"
| curl method=get headerfield=header urifield=uri
| spath input=curl_message
| table "result{}.metricId" "result{}.data{}.values{}" "result{}.data{}.timestamps{}" moduleName
| rename "result{}.data{}.values{}" as "Failures"
| rename "result{}.data{}.timestamps{}" as "Time"
| eval tmp_field = mvzip(Failures, Time, "-|-")
| fields tmp_field moduleName
| mvexpand tmp_field
| makemv delim="-|-" tmp_field
| eval Failures = mvindex(tmp_field, 0)
| eval Time = mvindex(tmp_field, 1)
| eval _time=strftime((Time/1000),"%Y-%m-%dT%H:%M:%S.%Q")
| fields - tmp_field Time
| search Failures!=null
| table _time moduleName Failures

0 Karma
Reply
Solved! Jump to solution
Solution

PickleRick
SplunkTrust
SplunkTrust
‎04-10-2023 11:42 AM

You needlessly cast _time to string with strftime at the end of your search. Just do

| eval _time=Time/1000

Oh, and if Splunk treats your Time variable as text, you'll have to convert it to number

| eval _time=tonumber(Time)/1000
0 Karma
Reply
Solved! Jump to solution

vik
Explorer
‎04-13-2023 11:44 AM

Thanks @PickleRick using tonumber helped! I am now able to index the data using the timestamp returned as part of my search. 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-14-2023 12:01 AM

Hi @vik ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-07-2023 10:45 PM

Hi @vik,

could you share your search?

did you expressed the _time in the fields outputted in the results?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

vik
Explorer
‎04-10-2023 10:42 AM

@gcusello  Yes, I am populating the data in the _time field. I can see timestamp in _time in the output but it does not seem to use "_time" field for indexing. I tried both epoch and formatting like below. 

 

| makeresults
| eval moduleName="".module.""
| eval uri="<<<URL>>>"
| eval header="<<<Header INFO>>>"
| curl method=get headerfield=header urifield=uri
| spath input=curl_message
| table "result{}.metricId" "result{}.data{}.values{}" "result{}.data{}.timestamps{}" moduleName
| rename "result{}.data{}.values{}" as "Failures"
| rename "result{}.data{}.timestamps{}" as "Time"
| eval tmp_field = mvzip(Failures, Time, "-|-")
| fields tmp_field moduleName
| mvexpand tmp_field
| makemv delim="-|-" tmp_field
| eval Failures = mvindex(tmp_field, 0)
| eval Time = mvindex(tmp_field, 1)
| eval _time=strftime((Time/1000),"%Y-%m-%dT%H:%M:%S.%Q")
| fields - tmp_field Time
| search Failures!=null
| table _time moduleName Failures

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...