Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

dbinspect fields names and format changed in 6.*

mataharry
Communicator
‎11-25-2013 08:17 AM

I was using dbinpect to calculates the first and last events in my buckets.
In splunk 4.* and 5.*, it was returning 2 fields earliestTime and latestTime as a date in my SH timezone.

But I do not find those fields anymore in 6.*, how to get them ?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-25-2013 08:21 AM

Yes, the format of dbinspect changed in 6.*
see http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dbinspect

The time fields were renamed and converted to epoch time.

  • earliestTime (in formatted time ) became endEpoch (in epoch)
  • latestTime (in formatted time ) became startEpoch (in epoch)

You can update your searches to use the new fields, or do a simple conversion.

| dbinspect
| convert ctime(endEpoch) AS earliestTime
| convert ctime(startEpoch) AS latestTime

View solution in original post

Reply
Solved! Jump to solution

dlutzy
Engager
‎10-13-2015 05:47 PM

you need to switch:

earliestTime (in formatted time ) became startEpoch (in epoch)
latestTime (in formatted time ) became endEpoch (in epoch)

Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎11-25-2013 08:21 AM

Yes, the format of dbinspect changed in 6.*
see http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Dbinspect

The time fields were renamed and converted to epoch time.

  • earliestTime (in formatted time ) became endEpoch (in epoch)
  • latestTime (in formatted time ) became startEpoch (in epoch)

You can update your searches to use the new fields, or do a simple conversion.

| dbinspect
| convert ctime(endEpoch) AS earliestTime
| convert ctime(startEpoch) AS latestTime

Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎10-26-2016 06:26 AM 
| convert ctime(endEpoch) AS latestTime | convert ctime(startEpoch) AS earliestTime

gotta get yannK to flip the fields in the convert

startEpoch - The timestamp for the first event in the bucket (the time-edge of the bucket furthest towards the past), in number of seconds from the UNIX epoch.

endEpoch - The timestamp for the last event in the bucket, which is the time-edge of the bucket furthest towards the future. Specify the timestamp in the number of seconds from the UNIX epoch.

- MattyMo
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...