Splunk Search

add seconds or minutes every 50000 events

efaundez
Path Finder

Good afternoon

Currently you try to index data to an index summary, but these events do not contain a timestamp so the indexing remains with the date the query was run.

This for splunk is a problem because there is no timestamp the data is indexed with the same timestamp and the query is truncated when you try to find it.

is there any method that allows you to add to a certain number of events plus seconds or minutes?

Best regards

0 Karma
1 Solution

manjunathmeti
SplunkTrust
SplunkTrust

Set _time = now() and add seconds every 50000 events:

<your_search> | eval _time=now(), count=1 | streamstats sum(count) as count | eval _time= _time + floor(count/50000)

If you want to add seconds to _time of each event then use this:

<your_search> | eval _time=now(), seconds=0.001 | streamstats sum(seconds) as seconds | eval _time=_time + seconds

View solution in original post

manjunathmeti
SplunkTrust
SplunkTrust

Set _time = now() and add seconds every 50000 events:

<your_search> | eval _time=now(), count=1 | streamstats sum(count) as count | eval _time= _time + floor(count/50000)

If you want to add seconds to _time of each event then use this:

<your_search> | eval _time=now(), seconds=0.001 | streamstats sum(seconds) as seconds | eval _time=_time + seconds

efaundez
Path Finder

it worked, thank you for your response.

Best regards

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...