Splunk Search

How to extract the _time value into a separate field?

Path Finder

I have one index of iis logs which extracts the timestamp into a "timestamp" field. I have another index which reads fields from _json objects. It extracts timestamps automatically from this and puts the timestamp into a _time field.

For the sake of consistency, I'd like the timestamp field to also be called "timestamp" in this separate JSON index (the json is pulled from a REST service attached to a SQL DB). I tried creating an alias for the _time to rename it to timestamp, however, it is converted into microseconds or something similar. I can convert it into a human readable value easily enough with a convert ctime() command in search, but I want to do this automatically at search-time, or perhaps even index-time.

Is there an easy way to extract the _time value or redirect it into a field of my choosing?

Thanks!

Super Champion

This may be a good use case for calculated fields. You can setup a calculated field to based on either _time or _indextime (I'll come back to a question there in a second).

Take a look at the these docs:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/definecalcfields

Just to be sure, are the builtin timestamps correct for the events? (From your question it sounds like they are, but from a comment earlier, it was't clear.) Getting timestamp recognition correct when the data is onboard is super critical in Splunk. (I'd argue that it's the most important on boarding issue.) This is important if you want consistency in Splunk, start here:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Configuretimestamprecognition

If you're sourcetypes are setup to use structured data (IIS/JSON) take a look at TIMESTAMP_FIELDS in props.conf:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Extractfieldsfromfileswithstructureddata


Once you've got _time setup correctly, now Splunk can search on timeframes properly, and then you can make a friendly field using calculated fields:

 EVAL-timestamp = strftime(_time, "%Y-%m-%d %T")

BTW. A field alias only "copies" the field, it doesn't "move" a field. (And you wouldn't want it too, that would break lots of stuff). It's not the same as the rename search command, it's more like eval newfield=oldfield.

0 Karma

Motivator
0 Karma

Path Finder

The date is not in my raw event, hence I cannot use an extraction. The _time is just being assigned when the event is being indexed.

0 Karma

Motivator

ok use the _indextime field because The _indextime field contains the time that an event was indexed.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!