Hello,
I'm performing some aggregations on my indexed data and I'm doing them based on a field that stores date and time (action_time), the stored dates may also be from previous days.
index=index_1 (filtering conditions) earliest=-1d@d latest=@d
| eval action_time=strptime(action_time,"%d/%m/%Y %H:%M:%S")
| stats (aggregation) by action_time
| eval _time=action_time
| fields _time action_time (aggregation results)
| collect index=collect_index
If I perform the search shown above, it retrieves the desired results for the _time field on the search results but if I run the query over the collected data the _time field will be wrong.
It seems the issue might be related with the earliest and latest since what is being displayed on the _time field is 1/23/18 11:59:59.000 PM which seems to be the last possible value for _time within the specified interval.
For instance:
Before Collect _time: 2018-01-20 00:00:57
After Collect _time: 1/23/18 11:59:59.000 PM
I've also tried replacing the | fields with the | table command to get rid of internal fields, playing with the | collect addtime parameter, both with no success.
Am I missing something?
Thanks in advance!
After more tests and playing around with the query I've noticed that if I remove the earliest and latest parameters and select the time range I wanted using the time picker, it works as intended.
This is fine if I'm retrieving data from a single index or if I am retrieving data within the same interval.
I'm wondering how could it be done if I wanted an entire week data from one of the sources and only data from the previous day on another, I couldn't set this up only using the time picker.
After more tests and playing around with the query I've noticed that if I remove the earliest and latest parameters and select the time range I wanted using the time picker, it works as intended.
This is fine if I'm retrieving data from a single index or if I am retrieving data within the same interval.
I'm wondering how could it be done if I wanted an entire week data from one of the sources and only data from the previous day on another, I couldn't set this up only using the time picker.