I have one index of iis logs which extracts the timestamp into a "timestamp" field. I have another index which reads fields from _json objects. It extracts timestamps automatically from this and puts the timestamp into a _time field.
For the sake of consistency, I'd like the timestamp field to also be called "timestamp" in this separate JSON index (the json is pulled from a REST service attached to a SQL DB). I tried creating an alias for the _time to rename it to timestamp, however, it is converted into microseconds or something similar. I can convert it into a human readable value easily enough with a
convert ctime() command in search, but I want to do this automatically at search-time, or perhaps even index-time.
Is there an easy way to extract the _time value or redirect it into a field of my choosing?
The date is not in my raw event, hence I cannot use an extraction. The _time is just being assigned when the event is being indexed.
This may be a good use case for calculated fields. You can setup a calculated field to based on either
_indextime (I'll come back to a question there in a second).
Take a look at the these docs:
Just to be sure, are the builtin timestamps correct for the events? (From your question it sounds like they are, but from a comment earlier, it was't clear.) Getting timestamp recognition correct when the data is onboard is super critical in Splunk. (I'd argue that it's the most important on boarding issue.) This is important if you want consistency in Splunk, start here:
If you're sourcetypes are setup to use structured data (IIS/JSON) take a look at
TIMESTAMP_FIELDS in props.conf:
Once you've got
_time setup correctly, now Splunk can search on timeframes properly, and then you can make a friendly field using calculated fields:
EVAL-timestamp = strftime(_time, "%Y-%m-%d %T")
BTW. A field alias only "copies" the field, it doesn't "move" a field. (And you wouldn't want it too, that would break lots of stuff). It's not the same as the
rename search command, it's more like