Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Collect changes my timestamp

ramarm
New Member
‎07-17-2019 09:35 AM

Hi,

I want to have a scheduled search that take data and make some logic on it and at the end put it in a summary index.
The problem is that it changes my timestamp no matter what i do.
I've tried giving the collect "timeformat" as my time format, tried using eval _time = strptime(), tried both addtime options and nothing works.

My events in the indexes are either json or csv with a custom source type. The splunk recognize my timestamp as I want but in testmode=true. But when I change it to false the summary index timestamp is the search time or the info_min_time, depends my search syntax.
I would say that if i do the same search in the _internal index the timestamp is the original time. As I want in my indexes.

I looked everywhere and didn't find anything that works.

Thank for helping

0 Karma
Reply

woodcock
Esteemed Legend
‎07-17-2019 12:26 PM

Splunk's _time field is very special. It is always in integer but this is obscured because it carries around this code with it at all times | fieldformat _time = strftime(_time, "%c"). Is your _time field an integer or is it human-formatted (it must be the former)?

0 Karma
Reply

ramarm
New Member
‎07-18-2019 01:12 AM

Hi,
I tried to look of my field is number or string as recommend.
I used eval type=typeof(_time) and in both indexes, mine and the _internal for example it was number.
Any other suggestions?

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...