Hello,
When I create a new index with an old index I would like to have an _time with a time different than the time of the day that I create my index.
Is it possible ?
While using the collect
command to change the timestamp, consider the discussion on this recent answers post.
It doesn't seem as simple as setting a new _time
value before piping to collect
.
Can you rephrase the question? It's unclear (at least to me) what it is you're asking.
By exemple :
Index1 : _raw with _time 01/01/2017
index2 is creating on 01/01/2018 and I would like to have in _raw 01/01/2017 for _time
it is for having in presets a value of research that I can have for the data in the initial index.
Are you ingesting (or planning to ingest) same data in both the index? If yes, from where are you getting this data? OR you've data in Index1 and just want to replicate same data but adjusted timestmap in Index2?
I would like to replicate same data but adjusted timestamp in index2
You can use summary indexing method (collect command or by scheduling a search and enabling summary indexing) to send your Index1 data to Index2. In your search, you'd manipulate your _time before sending (adding 1 year). A sample search (using collect command) could be like this:
index=Index1 sourcetype=yoursourcetype
| eval _time=relative_time(_time,"+1y")
| collect index=Index2
See more info on collect command here:
http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Collect
and if I want to put in _time an other value than _time like by example in _time I would to put a date witch is not _time . Is it possible ?
You should be able to manipulate _time within the compound of eval command and available values/function in your Splunk. If you can describe what kind of changes exactly you're planning to make, we can have a look at it's feasibility.
Timestamps aren't a function of the index, they are a function of the sourcetype.
Do you want to index different event formats with different time formats?
I would like to adjust the timestamp in the new index