Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use custom time field for individual search

b1388035
Explorer
‎07-08-2013 02:13 AM

I have data coming into Splunk on a daily basis, this data can have event times which are anytime in the last month.

I have saved searches setup to index this data, again on a daily basis. However to ensure the saved search only picks up the new data I have forced splunk to ignore my event's actual time fields and force a _time of when the data was indexed.

So, I now have a problem when using timelines as my search is using then _time field and are not using the real event Time field. Is there any function included where I can force a splunk search to use a custom time field.

Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎07-08-2013 05:24 AM

you need to replace the _time fields as below(if i understand correctly you are using timechart):

your search|eval _time=strptime(Time,"%y/%m/%d %H:%M:%S")|timechart ...

then see in a table if its correct. You will be able to use the timechart option according to the custom Time field. Thanks, hope it clarifies..

View solution in original post

Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎07-08-2013 05:24 AM

you need to replace the _time fields as below(if i understand correctly you are using timechart):

your search|eval _time=strptime(Time,"%y/%m/%d %H:%M:%S")|timechart ...

then see in a table if its correct. You will be able to use the timechart option according to the custom Time field. Thanks, hope it clarifies..

Reply
Solved! Jump to solution

b1388035
Explorer
‎07-08-2013 09:00 AM

Works great for the Splunk timecharts thank you. When using Sideviews' FlashTimeline it doesn't pick up the evaluated _time field but just uses the index time.

0 Karma
Reply
Solved! Jump to solution

b1388035
Explorer
‎07-08-2013 05:10 AM

I have been able to get that stage working so all my events now have a _time of when they were indexed. All events have an additional 'Time' field. So, The issue is how to make use of a custom 'Time' field at search time and ignore _time

Reply
Solved! Jump to solution

linu1988
Champion
‎07-08-2013 03:12 AM

use the props.conf to set up your indexing time rather than the event time.

DATETIME_CONFIG=NONE/ CURRENT

If the data is already indexed there is nothing that can be done. Either it has to be deleted/ the captured time needs to be used.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...