Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Manipulate _time value on collect

LordLeet
Path Finder
‎01-24-2018 08:11 AM

Hello,

I'm performing some aggregations on my indexed data and I'm doing them based on a field that stores date and time (action_time), the stored dates may also be from previous days.

index=index_1 (filtering conditions) earliest=-1d@d latest=@d
| eval action_time=strptime(action_time,"%d/%m/%Y %H:%M:%S")
| stats (aggregation) by action_time
| eval _time=action_time
| fields _time action_time (aggregation results)
| collect index=collect_index

If I perform the search shown above, it retrieves the desired results for the _time field on the search results but if I run the query over the collected data the _time field will be wrong.
It seems the issue might be related with the earliest and latest since what is being displayed on the _time field is 1/23/18 11:59:59.000 PM which seems to be the last possible value for _time within the specified interval.

For instance:
Before Collect _time: 2018-01-20 00:00:57
After Collect _time: 1/23/18 11:59:59.000 PM

I've also tried replacing the | fields with the | table command to get rid of internal fields, playing with the | collect addtime parameter, both with no success.

Am I missing something?

Thanks in advance!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

LordLeet
Path Finder
‎01-24-2018 09:16 AM

After more tests and playing around with the query I've noticed that if I remove the earliest and latest parameters and select the time range I wanted using the time picker, it works as intended.

This is fine if I'm retrieving data from a single index or if I am retrieving data within the same interval.
I'm wondering how could it be done if I wanted an entire week data from one of the sources and only data from the previous day on another, I couldn't set this up only using the time picker.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

LordLeet
Path Finder
‎01-24-2018 09:16 AM

After more tests and playing around with the query I've noticed that if I remove the earliest and latest parameters and select the time range I wanted using the time picker, it works as intended.

This is fine if I'm retrieving data from a single index or if I am retrieving data within the same interval.
I'm wondering how could it be done if I wanted an entire week data from one of the sources and only data from the previous day on another, I couldn't set this up only using the time picker.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...