- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why is _time storing incorrect value?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I use the below saved search and scheduled it and enabled the summary index.
| dbxquery connection=connectionname query="select startdatetime, enddatetime from tablename where enddatetime > ? AND enddatetime < ?"
[| makeresults
| appendcols
[| inputlookup kvstorelookup
....
....
| eval starttime="2018-07-19 23:00:01"
| eval endtime="2018-07-19 23:15:00"
| eval daterange=starttime.",".endtime
| rename daterange as params
| fields params]]
| eval _time=enddatetime
|fields _time, startdatetime, enddatetime
|table _time, startdatetime, enddatetime
When I run the query manually it shows _time as exactly same as enddatetime value.
But when it runs through scheduler _time is always stored as "2018-07-19 00:59:59"
I am not sure why this is happening. Can someone please help?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed the issue. Missed to convert the time to epoch before storing in _time.
Below line fixed the issue.
| eval _time=strptime(enddatetime,"%Y-%m-%d %H:%M:%S.%1N")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fixed the issue. Missed to convert the time to epoch before storing in _time.
Below line fixed the issue.
| eval _time=strptime(enddatetime,"%Y-%m-%d %H:%M:%S.%1N")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Don't use _time in your query and then try to compare the searches...Let me know if it works for you...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried, it didnt work. Still _time value stored as "2018-07-19 00:59:59"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need to do an input instead to control time, http://docs.splunk.com/Documentation/DBX/3.1.3/DeployDBX/Createandmanagedatabaseinputs
Have you tried naming the time column to _time in your SQL?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you mean enddatetime as _time in select query? If so, yes I did. But it didnt work.
I also tried removing _time field from this saved search. But still the _time value stored as "2018-07-19 00:59:59"
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
