I have data coming into Splunk on a daily basis, this data can have event times which are anytime in the last month.
I have saved searches setup to index this data, again on a daily basis. However to ensure the saved search only picks up the new data I have forced splunk to ignore my event's actual time fields and force a _time of when the data was indexed.
So, I now have a problem when using timelines as my search is using then _time field and are not using the real event Time field. Is there any function included where I can force a splunk search to use a custom time field.
you need to replace the _time fields as below(if i understand correctly you are using timechart):
your search|eval _time=strptime(Time,"%y/%m/%d %H:%M:%S")|timechart ...
then see in a table if its correct. You will be able to use the timechart option according to the custom Time field. Thanks, hope it clarifies..
you need to replace the _time fields as below(if i understand correctly you are using timechart):
your search|eval _time=strptime(Time,"%y/%m/%d %H:%M:%S")|timechart ...
then see in a table if its correct. You will be able to use the timechart option according to the custom Time field. Thanks, hope it clarifies..
Works great for the Splunk timecharts thank you. When using Sideviews' FlashTimeline it doesn't pick up the evaluated _time field but just uses the index time.
I have been able to get that stage working so all my events now have a _time of when they were indexed. All events have an additional 'Time' field. So, The issue is how to make use of a custom 'Time' field at search time and ignore _time
use the props.conf to set up your indexing time rather than the event time.
DATETIME_CONFIG=NONE/ CURRENT
If the data is already indexed there is nothing that can be done. Either it has to be deleted/ the captured time needs to be used.