Splunk Search

Modification of _time value

isabellechristo
New Member

Hello,

When I create a new index with an old index I would like to have an _time with a time different than the time of the day that I create my index.

Is it possible ?

Tags (1)
0 Karma

micahkemp
Champion

While using the collect command to change the timestamp, consider the discussion on this recent answers post.

It doesn't seem as simple as setting a new _time value before piping to collect.

0 Karma

micahkemp
Champion

Can you rephrase the question? It's unclear (at least to me) what it is you're asking.

0 Karma

isabellechristo
New Member

By exemple :

Index1 : _raw with _time 01/01/2017

index2 is creating on 01/01/2018 and I would like to have in _raw 01/01/2017 for _time

it is for having in presets a value of research that I can have for the data in the initial index.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Are you ingesting (or planning to ingest) same data in both the index? If yes, from where are you getting this data? OR you've data in Index1 and just want to replicate same data but adjusted timestmap in Index2?

0 Karma

isabellechristo
New Member

I would like to replicate same data but adjusted timestamp in index2

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You can use summary indexing method (collect command or by scheduling a search and enabling summary indexing) to send your Index1 data to Index2. In your search, you'd manipulate your _time before sending (adding 1 year). A sample search (using collect command) could be like this:

index=Index1 sourcetype=yoursourcetype
| eval _time=relative_time(_time,"+1y")
| collect index=Index2

See more info on collect command here:

http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/Collect

0 Karma

isabellechristo
New Member

and if I want to put in _time an other value than _time like by example in _time I would to put a date witch is not _time . Is it possible ?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You should be able to manipulate _time within the compound of eval command and available values/function in your Splunk. If you can describe what kind of changes exactly you're planning to make, we can have a look at it's feasibility.

0 Karma

micahkemp
Champion

Timestamps aren't a function of the index, they are a function of the sourcetype.

Do you want to index different event formats with different time formats?

0 Karma

isabellechristo
New Member

I would like to adjust the timestamp in the new index

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...