Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Manipulate _time value on collect
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I'm performing some aggregations on my indexed data and I'm doing them based on a field that stores date and time (action_time), the stored dates may also be from previous days.
index=index_1 (filtering conditions) earliest=-1d@d latest=@d
| eval action_time=strptime(action_time,"%d/%m/%Y %H:%M:%S")
| stats (aggregation) by action_time
| eval _time=action_time
| fields _time action_time (aggregation results)
| collect index=collect_index
If I perform the search shown above, it retrieves the desired results for the _time field on the search results but if I run the query over the collected data the _time field will be wrong.
It seems the issue might be related with the earliest and latest since what is being displayed on the _time field is 1/23/18 11:59:59.000 PM which seems to be the last possible value for _time within the specified interval.
For instance:
Before Collect _time: 2018-01-20 00:00:57
After Collect _time: 1/23/18 11:59:59.000 PM
I've also tried replacing the | fields with the | table command to get rid of internal fields, playing with the | collect addtime parameter, both with no success.
Am I missing something?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After more tests and playing around with the query I've noticed that if I remove the earliest and latest parameters and select the time range I wanted using the time picker, it works as intended.
This is fine if I'm retrieving data from a single index or if I am retrieving data within the same interval.
I'm wondering how could it be done if I wanted an entire week data from one of the sources and only data from the previous day on another, I couldn't set this up only using the time picker.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After more tests and playing around with the query I've noticed that if I remove the earliest and latest parameters and select the time range I wanted using the time picker, it works as intended.
This is fine if I'm retrieving data from a single index or if I am retrieving data within the same interval.
I'm wondering how could it be done if I wanted an entire week data from one of the sources and only data from the previous day on another, I couldn't set this up only using the time picker.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
