Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need solution with custom time field

vijaynela
New Member
‎08-30-2024 04:00 AM

I am working Service now logs in Splunk. The tickets data has one field called "sys_created" this field gives the ticket created time in "%Y-%m-%d %H:%M:%S" format.

when I am running the query for the last 7 days. The tickets which were raised before 7 days are also populating because of another field called sys_updated.

This sys_updated field will store all the updates in the tickets, so if an old ticket is updated within last 7 days, it will be populated when i keep timerange picker as last 7 days.

Is there a way to consider "sys_created"  as "_time" ?

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-30-2024 04:18 AM

_time is set for the event when it is ingested. If you change the way the event is ingested, then perhaps you could use a different part of the event for the timestamp. However, this would only apply going forward, it would not re-index the existing events.

One possibility is that you could copy (using the collect command) the events to another index having reset the _time field to the value you want.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...