Splunk Search

Use of _indextime field in table or stats command

rakshithreddy
Explorer

Hi All

How can I use _indextime field in table or stats command without renaming or converting it.

Not working
Ex: * | table host source sourcetype _time _indextime _raw

Its working if I rename the _indextime or convert the _indextime, But I want the results with _indextime as field

Working
Ex: * | eval indextime=_indextime | table host source sourcetype _time indextime _raw

Thank you

Tags (1)

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @rakshithreddy,

_indextime is an internal filed and a hidden field, it will not be displayed in search results unless renamed or used with an eval.

So whenever you eval _indextime it will work.

Please refer below document for more information.

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Usedefaultfields

Thanks
Happy Splunking

0 Karma

rakshithreddy
Explorer

Hello

Thanks for reply

We can display _raw , _time not _indextime & not sure why

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @rakshithreddy,

Good question.

_raw and _time is NOT hidden field.

The _raw field contains the original raw data of an event. The search command uses the data in _raw when performing searches and data extraction.

The _time field contains an event's timestamp expressed in Unix time. This field is used to create the event timeline in Splunk Web.

_indextime is a hidden field that's why we have to eval _indextime to make in use.

🙂

Thanks

0 Karma

rakshithreddy
Explorer

Good to know,
But I was looking for anyway if we cheat this thing.

Thank you

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @rakshithreddy,

Yes, for you I have a trick but in configuration.

If we set EVAL in props.conf then we don't need eval in any search in the app.

Just put below configuration in props.conf.

[MY_SOURCETYPE]
EVAL-indextime=_indextime

Search:

sourcetype=MY_SOURCETYPE | table _time indextime

Thanks
Happy Splunking.

0 Karma

ddrillic
Ultra Champion

Try please - base search | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime

rakshithreddy
Explorer

thanks for reply,

I want it to be -
base search | table _indextime, the field name should be _indextime as i am sending these results to an external application & that application can only detect if its _indextime

0 Karma

Lucas_K
Motivator

I think you're out of luck. You can't display exact "_indextime" as the output will always filter.

You can fake it and put in a space though.

index=_internal | rename _indextime AS " _indextime"| table host " _indextime"

Notice the space in the quotes.

0 Karma

ddrillic
Ultra Champion

No luck -

alt text

0 Karma
Get Updates on the Splunk Community!

Exporting Splunk Apps

Join us on Monday, October 21 at 11 am PT | 2 pm ET!With the app export functionality, app developers and ...

Cisco Use Cases, ITSI Best Practices, and More New Articles from Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...