Splunk Search

How to extract the _time value into a separate field?

jpanderson
Path Finder

I have one index of iis logs which extracts the timestamp into a "timestamp" field. I have another index which reads fields from _json objects. It extracts timestamps automatically from this and puts the timestamp into a _time field.

For the sake of consistency, I'd like the timestamp field to also be called "timestamp" in this separate JSON index (the json is pulled from a REST service attached to a SQL DB). I tried creating an alias for the _time to rename it to timestamp, however, it is converted into microseconds or something similar. I can convert it into a human readable value easily enough with a convert ctime() command in search, but I want to do this automatically at search-time, or perhaps even index-time.

Is there an easy way to extract the _time value or redirect it into a field of my choosing?

Thanks!

Lowell
Super Champion

This may be a good use case for calculated fields. You can setup a calculated field to based on either _time or _indextime (I'll come back to a question there in a second).

Take a look at the these docs:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/definecalcfields

Just to be sure, are the builtin timestamps correct for the events? (From your question it sounds like they are, but from a comment earlier, it was't clear.) Getting timestamp recognition correct when the data is onboard is super critical in Splunk. (I'd argue that it's the most important on boarding issue.) This is important if you want consistency in Splunk, start here:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Configuretimestamprecognition

If you're sourcetypes are setup to use structured data (IIS/JSON) take a look at TIMESTAMP_FIELDS in props.conf:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Extractfieldsfromfileswithstructureddata


Once you've got _time setup correctly, now Splunk can search on timeframes properly, and then you can make a friendly field using calculated fields:

 EVAL-timestamp = strftime(_time, "%Y-%m-%d %T")

BTW. A field alias only "copies" the field, it doesn't "move" a field. (And you wouldn't want it too, that would break lots of stuff). It's not the same as the rename search command, it's more like eval newfield=oldfield.

0 Karma

fdi01
Motivator
0 Karma

jpanderson
Path Finder

The date is not in my raw event, hence I cannot use an extraction. The _time is just being assigned when the event is being indexed.

0 Karma

fdi01
Motivator

ok use the _indextime field because The _indextime field contains the time that an event was indexed.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...