From _raw events I do not see _indextime

lpolo · ‎04-22-2020

I am wondering why from some set of _raw indexes I do not see _indextime. I should see it. Any idea?

Thanks,
Lp

gcusello · ‎04-22-2020

Hi @lpolo,
_indextime isn't a field displayed by default (I don't know why!), but it's always present, if you want it you must explicitate it using table or eval to display in human readable format:

index=my_index
| eval indextime=strftime(_indextime,"%d/%m/%Y %H:%M:%S")
| table _time indextime _raw

Ciao.
Giuseppe

lpolo · ‎04-22-2020

Thanks!
I am aware that it should always be present that is the reason of my question. I am wondering why some indexes I can see it with this simple query:

index=myindex| table _time _indextime

But with some other indexes I need to do this to see it:
index=myindex | eval indextime=_indextime | table _time indextime _indextime

lpolo · ‎04-22-2020

Grazie Mille Giuseppe. Forza Italia. 🙂

gcusello · ‎04-22-2020

You're welcome".
if you're staisfied by this answer, please accept and/or upvote it, for the other memebers of the Community.

sempre!
Ciao.
Giuseppe

From _raw events I do not see _indextime

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services