Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Issues with time parameter in Collect command

arjit
Path Finder
‎10-14-2020 10:44 PM

Hi All, I am populating the summary index from yesterdays data via tstats count on a Data model and inspite of adding the addTime=t, the query is updating the time from _raw i.e. today instead of yesterdays date.  My query is as below :

| tstats count AS "Trip Count" FROM datamodel=ourdatamodel

where   Condition

| Collect index=xyz sourcetype=abc addTime=T      (time parameter given in the scheduled report is -1d@d till @d) 

When I tried extracting the info_min_time to check whether this parameter is available through

(The documentation states the collect command will look for info_min_time and if it is not present, then it will look for _time)

| tstats count AS "Trip Count", earliest(info_min_time) FROM datamodel=ourdatamodel .......

I am not getting any value for this field in the result. 

 Can you please suggest why inspite of adding addTime=T, we are not getting date as yesterday's date ? 

Thanks

AG. 

 

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-15-2020 01:10 AM

Does the tstats actually return anything that could be a date/time? Try adding addinfo between the tstats and collect commands

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-15-2020 01:10 AM

Does the tstats actually return anything that could be a date/time? Try adding addinfo between the tstats and collect commands

0 Karma
Reply
Solved! Jump to solution

arjit
Path Finder
‎10-15-2020 01:47 AM

Thanks for this @ITWhisperer ! what I have done here is I have added addinfo|eval _time = info_min_time which is giving me the yesterday date!  My new query, for the benefit of all the readers,  is now: 

 

| tstats count AS "Trip Count" FROM datamodel=ourdatamodel

where   Condition

| addinfo| eval _time = info_min_time | Collect index=xyz sourcetype=abc addTime=T      (time parameter given in the scheduled report is -1d@d till @d) 

and this is giving me the desired date. 

Kind regards

AG. 

Reply
Solved! Jump to solution

arjit
Path Finder
‎10-14-2020 11:52 PM

Hi @thambisetty , thanks for this but it accepts both addTime and addtime... I have already tried running both of them but both are not working ... 

I suspect the problem must be with using tstats command on datamodel probably ... .

Please suggest if you have any suggestions here ...

Thanks

AG.  

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎10-14-2020 10:59 PM

The argument option addTime you used is wrong. it's supposed to be addtime ( t is lowercase in time).

 

addtime
Syntax: addtime=<bool>
Description: Use this option to specify whether to prefix a time field on to each event. Some commands return results that do not have a _raw field, such as the stats, chart, timechart commands. If you specify addtime=false, the Splunk software uses its generic date detection against fields in whatever order they happen to be in the summary rows. If you specify addtime=true, the Splunk software uses the search time range info_min_time. This time range is added by the sistats command or _time. Splunk software adds the time field based on the first field that it finds: info_min_time, _time, or now().
Default: true

 

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...