Hi,
When I search with particular sourcetype, I get all the data and fields which are extracted are shown on the left side of the flashtimeline. But I'm not getting default fields like date_month, date_hour in interesting field section. Am I missing anything here?
Hello Chhaya,
i faced the same problem when i extracted the time from the log instead of using the Splunk's event timings. However as "AYN" suggested, you can use strftime to get those fields. It's pretty easy.
Try this:
Your search|eval date_mday=strftime(_time,"%d")|eval date_month=strftime(_time,"%b")|table date_mday,date_month
By this way you will be able to use them at search time for charting/stats related queries.
Hello Chhaya,
i faced the same problem when i extracted the time from the log instead of using the Splunk's event timings. However as "AYN" suggested, you can use strftime to get those fields. It's pretty easy.
Try this:
Your search|eval date_mday=strftime(_time,"%d")|eval date_month=strftime(_time,"%b")|table date_mday,date_month
By this way you will be able to use them at search time for charting/stats related queries.
BUt if you eval on search head it is extremely slow process verse having the indexer only return valid data. I am now trying this with a 7.0.0 universal forwarder and the same issue STILL exists... When is splunk going to fix this obvious mistake?
You can never change data in the index, so you don't have to worry.
Hi linu1988,
If i run search like this
sourcetype="INSPRODSP" |eval date_mday=strftime(_time,"%d")|eval date_month=strftime(_time,"%b")|table date_mday,date_month
INSPRODSP has my all data, if run above query will this affect the existing timestamp of indexed events?
Or it'll just give me the default fields ?
I'm asking this because, I just want to make sure that above query will not affect the existing indexed data!!
"Seems like fields related to the time processor. In event logs at least these are not included because the time processor is not invoked in the same way as regular file monitor based inputs."
I didn't understand this.If possible can u explain me in simple language?
Seems like fields related to the time processor. In event logs at least these are not included because the time processor is not invoked in the same way as regular file monitor based inputs. You could always recreate the date_*
fields using eval
's strftime
function.
date_* fields and some timeendpos, timestartpos fields. I've loaded sharepoint logs. For the same logs in previous indexer they were visible. But in new indexer i've loaded same logs but they're not visible.
Which specific fields are you missing? Just the date_*
fields? Because these are not available for all sources, for instance they are not present for Windows event logs, among others.
yeah there not available even in "View all x fields" link.
Are the fields also unavailable under the "View all X fields" link?