Solved: How can we modify the wrong _raw timestamp for a s...

abhijit_mhatre · ‎03-16-2017

After populating data under summary index we are getting wrong timestamp for all the fields.

Original search query:
index=ABC sourcetype=XYZ subtype=### earliest=-90d@d latest=now | eval date=strftime(_time, "%m/%d/%Y") | stats count as Incoming, count(eval(action="blocked")) as Blocked by date |collect index=summary_index source="***"

Post Summary index query:
index=summary_index source="***"

However, when i run the above query, I lose the actual timestamp of the event. Instead, all events in the summary index have the current system time as the timestamp.

somesoni2 · ‎03-16-2017

Change the Original Search like this

index=ABC sourcetype=XYZ subtype=### earliest=-90d@d latest=now  |timechart span=1d count as Incoming, count(eval(action="blocked")) as Blocked | eval date=strftime(_time, "%m/%d/%Y") |collect index=summary_index source="***"

View solution in original post

somesoni2 · ‎03-16-2017

Change the Original Search like this

index=ABC sourcetype=XYZ subtype=### earliest=-90d@d latest=now  |timechart span=1d count as Incoming, count(eval(action="blocked")) as Blocked | eval date=strftime(_time, "%m/%d/%Y") |collect index=summary_index source="***"

abhijit_mhatre · ‎03-16-2017

Thanks @somesoni2

The query worked & now we are getting correct timestamp for events.

jkat54 · ‎03-16-2017

They should also have a field called date yes?

If you want the full timestamp add _time to you stats command by clause:

... by date _time

adonio · ‎03-16-2017

like jkat54 said, ... | stats strips the time from results. add "by _time" to have that field

How can we modify the wrong _raw timestamp for a summary index?

Happy CX Day, Splunk Community!

Splunk Observability Cloud | Customer Survey!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas