Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract the _time value into a separate field?

jpanderson
Path Finder
‎01-07-2016 03:06 AM

I have one index of iis logs which extracts the timestamp into a "timestamp" field. I have another index which reads fields from _json objects. It extracts timestamps automatically from this and puts the timestamp into a _time field.

For the sake of consistency, I'd like the timestamp field to also be called "timestamp" in this separate JSON index (the json is pulled from a REST service attached to a SQL DB). I tried creating an alias for the _time to rename it to timestamp, however, it is converted into microseconds or something similar. I can convert it into a human readable value easily enough with a convert ctime() command in search, but I want to do this automatically at search-time, or perhaps even index-time.

Is there an easy way to extract the _time value or redirect it into a field of my choosing?

Thanks!

Reply

Lowell
Super Champion
‎01-08-2016 07:46 AM

This may be a good use case for calculated fields. You can setup a calculated field to based on either _time or _indextime (I'll come back to a question there in a second).

Take a look at the these docs:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/definecalcfields

Just to be sure, are the builtin timestamps correct for the events? (From your question it sounds like they are, but from a comment earlier, it was't clear.) Getting timestamp recognition correct when the data is onboard is super critical in Splunk. (I'd argue that it's the most important on boarding issue.) This is important if you want consistency in Splunk, start here:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Configuretimestamprecognition

If you're sourcetypes are setup to use structured data (IIS/JSON) take a look at TIMESTAMP_FIELDS in props.conf:

http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Extractfieldsfromfileswithstructureddata

Once you've got _time setup correctly, now Splunk can search on timeframes properly, and then you can make a friendly field using calculated fields:

 EVAL-timestamp = strftime(_time, "%Y-%m-%d %T")

BTW. A field alias only "copies" the field, it doesn't "move" a field. (And you wouldn't want it too, that would break lots of stuff). It's not the same as the rename search command, it's more like eval newfield=oldfield.

0 Karma
Reply

fdi01
Motivator
‎01-07-2016 03:39 AM

use Extractions fields to do it
http://docs.splunk.com/Documentation/Splunk/6.3.1/Knowledge/ExtractfieldsinteractivelywithIFX

0 Karma
Reply

jpanderson
Path Finder
‎01-07-2016 03:59 AM

The date is not in my raw event, hence I cannot use an extraction. The _time is just being assigned when the event is being indexed.

0 Karma
Reply

fdi01
Motivator
‎01-07-2016 11:56 PM

ok use the _indextime field because The _indextime field contains the time that an event was indexed.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...