Splunk Cloud Platform
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why Summary index not generating milliseconds when used in spl query?

Kirthika
Path Finder
‎09-01-2023 11:49 PM

When I create report and enable summary index, the results are getting in the below format.

 

Table:

id    _time

1      2022-06-01 12:01:30.802

1      2022-06-01 12:11:47.069

 

But when I call this summary index using spl query,

milliseconds are missing in _time column.

 

Query I have used,

index="summary" report="yy"

|eventstats max(search_now) as latestsearch by id, report

|where search_now = latestsearch

 

This query is to fetch latest run result

Labels (2)
Tags (3)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-03-2023 04:24 PM

It seems like this has been a problem for some time, e.g.

https://community.splunk.com/t5/Knowledge-Management/Why-are-collected-events-in-a-summary-index-los...

I generally avoid using the summary indexing option in the scheduled search, but instead use the collect statement directly in the SPL and format the _raw field I want, as _time is also a bit strange with the collect command.

You need to have a _raw with the _time value set in there, to make it work well, e.g.

``` Your search ... ```
| fields _time field1 field2...
| eval _raw="_time="._time
| foreach "*" 
    [| eval _raw=_raw.case(isnull('<<FIELD>>'),"",
                           true(), ", <<FIELD>>=\"".'<<FIELD>>'."\"") 
    | fields - "<<FIELD>>" ] 

| collect index=your_summary_index addtime=f

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-03-2023 07:29 AM

What search have you used to populate the summary index?

0 Karma
Reply

Kirthika
Path Finder
‎09-03-2023 11:49 PM

Hi @ITWhisperer ,
This is the search I have used.

index="xxx" source="*yyy"
| eval id=mvindex(split(source,"/"),5)
| reverse
| table id _raw
| rex field=_raw "(?<timestamp>[^|]+)\|(?<PID>[^|]+)"
| table id timestamp PID
| eval _time=strptime(timestamp,"%Y-%m-%d %H:%M:%S.%4N")
| table id _time PID
| sort 0 id _time
| streamstats count as s_no by id
| table id _time s_no PID

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎09-04-2023 03:27 PM

You can see from my earlier post that this appears to be an issue that is still unresolved, so you will need to address it another way, as referenced.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...