Summary Index from | collect ... addtime=f : When ...

isaiz · ‎03-14-2023

I created a summary index with a custom _raw from a tstats search from 03/14/2023 16:30:00 to 03/14/2023 16:35:00:

| tstats summariesonly=false count sum(common.sentbyte) AS sentbyte sum(common.rcvdbyte) AS rcvdbyte
FROM datamodel=CTTI_Fortinet_Log
WHERE common.subtype=forward
BY common.devname common.dstip common.sessionid

| rename common.devname as devname common.dstip as dstip common.sessionid as sessionid
| addinfo
| eval _time = strftime(info_min_time,"%m/%d/%Y %H:%M:%S %z")
| eval version=0.44
| eval _raw=_time . ", " .
                        "devname=". devname . ", " .
                         "dstip=" . dstip . ", " .
                         "sessionid=" . sessionid . ", " .
                         "sentbyte=" . coalesce(sentbyte,0) . ", " .
                         "rcvdbyte=" . coalesce(rcvdbyte,0) . ", " .
                         "version=" . version
| fields _raw
| collect index=superbasket_d_test addtime=f

It worked as intended, showing me the correct extracted _time and _raw in the collect query results but then when I search that same index for some reason it adds 1 second to _time.

Why does it happen?

Summary Index from | collect ... addtime=f : When searched _time is not equal to time from _raw and date_* fields

eval

field extraction

fields

metadata

tstats

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

Summary Index from | collect ... addtime=f : When searched _time is not equal to time from _raw and date_* fields