Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Collect changes my timestamp

ramarm
New Member
‎07-17-2019 09:35 AM

Hi,

I want to have a scheduled search that take data and make some logic on it and at the end put it in a summary index.
The problem is that it changes my timestamp no matter what i do.
I've tried giving the collect "timeformat" as my time format, tried using eval _time = strptime(), tried both addtime options and nothing works.

My events in the indexes are either json or csv with a custom source type. The splunk recognize my timestamp as I want but in testmode=true. But when I change it to false the summary index timestamp is the search time or the info_min_time, depends my search syntax.
I would say that if i do the same search in the _internal index the timestamp is the original time. As I want in my indexes.

I looked everywhere and didn't find anything that works.

Thank for helping

0 Karma
Reply

woodcock
Esteemed Legend
‎07-17-2019 12:26 PM

Splunk's _time field is very special. It is always in integer but this is obscured because it carries around this code with it at all times | fieldformat _time = strftime(_time, "%c"). Is your _time field an integer or is it human-formatted (it must be the former)?

0 Karma
Reply

ramarm
New Member
‎07-18-2019 01:12 AM

Hi,
I tried to look of my field is number or string as recommend.
I used eval type=typeof(_time) and in both indexes, mine and the _internal for example it was number.
Any other suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...