Hi,
I want to have a scheduled search that take data and make some logic on it and at the end put it in a summary index.
The problem is that it changes my timestamp no matter what i do.
I've tried giving the collect "timeformat" as my time format, tried using eval _time = strptime(), tried both addtime options and nothing works.
My events in the indexes are either json or csv with a custom source type. The splunk recognize my timestamp as I want but in testmode=true. But when I change it to false the summary index timestamp is the search time or the info_min_time, depends my search syntax.
I would say that if i do the same search in the _internal index the timestamp is the original time. As I want in my indexes.
I looked everywhere and didn't find anything that works.
Thank for helping
Splunk's _time
field is very special. It is always in integer but this is obscured because it carries around this code with it at all times | fieldformat _time = strftime(_time, "%c")
. Is your _time
field an integer or is it human-formatted (it must be the former)?
Hi,
I tried to look of my field is number or string as recommend.
I used eval type=typeof(_time)
and in both indexes, mine and the _internal for example it was number.
Any other suggestions?