Overriding _time

msarro · ‎09-28-2011

Greetings everyone. Is there any way to modify _time's value for the sake of a single search? One of our sources has the time set 2 hours behind where it should be. We have to present data tomorrow, and it will take at least a week to re-index everything. Any ideas would be appreciated.

dwaddle · ‎09-28-2011

You can munge time with eval. Something like this should work:

... | eval _time=if(source=="/some/bad/source",_time+7200,_time)

Things can get slightly wonky doing stuff like this though. You may need to resort by time (| sort -_time), and because this is a post-search processing of the data your search window will need to be large enough to be inclusive of the whole time window.

I would definitely plan on a reindex to fix the fouled data. But this might get you through your demo tomorrow.

chris · ‎02-08-2012

Hi, I have been struggling with this for a long time. Thanks a lot. I am trying to display events from the past in the same graph as current events in a graph (Today vs last week).

vlapeintuit · ‎09-28-2011

you can perform a regex on the field where the time is and search based on that time. an example....

search

rex field=_raw "(?\d{4}\/\d{2}\/\d{2}) (?\d{2}:\d{2}:\d{2})" | sort by new_date,new_time

Overriding _time

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...