Why Summary index not generating milliseconds when...

Kirthika · ‎09-01-2023

When I create report and enable summary index, the results are getting in the below format.

Table:

id _time

1 2022-06-01 12:01:30.802

1 2022-06-01 12:11:47.069

But when I call this summary index using spl query,

milliseconds are missing in _time column.

Query I have used,

index="summary" report="yy"

|eventstats max(search_now) as latestsearch by id, report

|where search_now = latestsearch

This query is to fetch latest run result

bowesmana · ‎09-03-2023

It seems like this has been a problem for some time, e.g.

https://community.splunk.com/t5/Knowledge-Management/Why-are-collected-events-in-a-summary-index-los...

I generally avoid using the summary indexing option in the scheduled search, but instead use the collect statement directly in the SPL and format the _raw field I want, as _time is also a bit strange with the collect command.

You need to have a _raw with the _time value set in there, to make it work well, e.g.

``` Your search ... ```
| fields _time field1 field2...
| eval _raw="_time="._time
| foreach "*" 
    [| eval _raw=_raw.case(isnull('<<FIELD>>'),"",
                           true(), ", <<FIELD>>=\"".'<<FIELD>>'."\"") 
    | fields - "<<FIELD>>" ] 

| collect index=your_summary_index addtime=f

ITWhisperer · ‎09-03-2023

What search have you used to populate the summary index?

Kirthika · ‎09-03-2023

Hi @ITWhisperer ,
This is the search I have used.

bowesmana · ‎09-04-2023

You can see from my earlier post that this appears to be an issue that is still unresolved, so you will need to address it another way, as referenced.

Why Summary index not generating milliseconds when used in spl query?

Analytics Workspace

development

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Buttercup Games: Further Dashboarding Techniques (Part 5)

Customers Increasingly Choose Splunk for Observability