Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Issues with time parameter in Collect command

arjit
Path Finder
‎10-14-2020 10:44 PM

Hi All, I am populating the summary index from yesterdays data via tstats count on a Data model and inspite of adding the addTime=t, the query is updating the time from _raw i.e. today instead of yesterdays date.  My query is as below :

| tstats count AS "Trip Count" FROM datamodel=ourdatamodel

where   Condition

| Collect index=xyz sourcetype=abc addTime=T      (time parameter given in the scheduled report is -1d@d till @d) 

When I tried extracting the info_min_time to check whether this parameter is available through

(The documentation states the collect command will look for info_min_time and if it is not present, then it will look for _time)

| tstats count AS "Trip Count", earliest(info_min_time) FROM datamodel=ourdatamodel .......

I am not getting any value for this field in the result. 

 Can you please suggest why inspite of adding addTime=T, we are not getting date as yesterday's date ? 

Thanks

AG. 

 

 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-15-2020 01:10 AM

Does the tstats actually return anything that could be a date/time? Try adding addinfo between the tstats and collect commands

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-15-2020 01:10 AM

Does the tstats actually return anything that could be a date/time? Try adding addinfo between the tstats and collect commands

0 Karma
Reply
Solved! Jump to solution

arjit
Path Finder
‎10-15-2020 01:47 AM

Thanks for this @ITWhisperer ! what I have done here is I have added addinfo|eval _time = info_min_time which is giving me the yesterday date!  My new query, for the benefit of all the readers,  is now: 

 

| tstats count AS "Trip Count" FROM datamodel=ourdatamodel

where   Condition

| addinfo| eval _time = info_min_time | Collect index=xyz sourcetype=abc addTime=T      (time parameter given in the scheduled report is -1d@d till @d) 

and this is giving me the desired date. 

Kind regards

AG. 

Reply
Solved! Jump to solution

arjit
Path Finder
‎10-14-2020 11:52 PM

Hi @thambisetty , thanks for this but it accepts both addTime and addtime... I have already tried running both of them but both are not working ... 

I suspect the problem must be with using tstats command on datamodel probably ... .

Please suggest if you have any suggestions here ...

Thanks

AG.  

0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎10-14-2020 10:59 PM

The argument option addTime you used is wrong. it's supposed to be addtime ( t is lowercase in time).

 

addtime
Syntax: addtime=<bool>
Description: Use this option to specify whether to prefix a time field on to each event. Some commands return results that do not have a _raw field, such as the stats, chart, timechart commands. If you specify addtime=false, the Splunk software uses its generic date detection against fields in whatever order they happen to be in the summary rows. If you specify addtime=true, the Splunk software uses the search time range info_min_time. This time range is added by the sistats command or _time. Splunk software adds the time field based on the first field that it finds: info_min_time, _time, or now().
Default: true

 

————————————
If this helps, give a like below.
0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...