Splunk Search

Overriding _time


Greetings everyone. Is there any way to modify _time's value for the sake of a single search? One of our sources has the time set 2 hours behind where it should be. We have to present data tomorrow, and it will take at least a week to re-index everything. Any ideas would be appreciated.

Tags (1)


You can munge time with eval. Something like this should work:

... | eval _time=if(source=="/some/bad/source",_time+7200,_time)

Things can get slightly wonky doing stuff like this though. You may need to resort by time (| sort -_time), and because this is a post-search processing of the data your search window will need to be large enough to be inclusive of the whole time window.

I would definitely plan on a reindex to fix the fouled data. But this might get you through your demo tomorrow.


Hi, I have been struggling with this for a long time. Thanks a lot. I am trying to display events from the past in the same graph as current events in a graph (Today vs last week).

0 Karma


you can perform a regex on the field where the time is and search based on that time. an example....

search rex field=_raw "(?\d{4}\/\d{2}\/\d{2}) (?\d{2}:\d{2}:\d{2})" | sort by new_date,new_time

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!