Solved: How to use info_max_time as _time?

the_wolverine · ‎10-17-2012

I'm running a search where I perform a rename of another time field to _time:

mysummarysearch | rename info_max_time as _time

It works as a simple search but if I try to do anything bolder, like use it in a subsearch and append to another search, I lose the results of the subsearch entirely (only the results of the outer search are returned.)

the_wolverine · ‎10-18-2012

Thanks for all the suggestions! I have to use a specific start time for my use case -- but based on the suggestions in comments, I've gotten this to work:

Here is my query with subsearch

[search index=summary marker=abc earliest=1350595800 | rename info_max_time as _time | format maxresults=0 ] OR index=main sourcetype=xyz OR sourcetype=123 earliest=1350595800 | timechart span=10m count(eval(sourcetype=="abc")) as XYZ count(eval(sourcetype=="123")) as 123 count(eval(marker=="abc")) as ABC

View solution in original post

the_wolverine · ‎10-18-2012

Thanks for all the suggestions! I have to use a specific start time for my use case -- but based on the suggestions in comments, I've gotten this to work:

Here is my query with subsearch

[search index=summary marker=abc earliest=1350595800 | rename info_max_time as _time | format maxresults=0 ] OR index=main sourcetype=xyz OR sourcetype=123 earliest=1350595800 | timechart span=10m count(eval(sourcetype=="abc")) as XYZ count(eval(sourcetype=="123")) as 123 count(eval(marker=="abc")) as ABC

bmacias84 · ‎10-18-2012

I haved used the following instead of using timechart.



mysummarysearch | rename info_max_time as ctime | chart span=5m max(mycount) as "Max Count" over ctime  by host



mysummarysearch | rename info_max_time as ctime | stats max(cpu) as mcpu, stdev(cpu) as scpu | fields ctime, mcpu, scpu

sideview · ‎10-17-2012

Can you post the subsearch where you were attempting to use the _time values as arguments to the outer search? If you use time arguments in the search clause you have to use the earliest and latest search terms, ie earliest=-24h, or earliest=1350408576. So really if you want to use them as search arguments you need to rename them to earliest and latest...

the_wolverine · ‎10-17-2012

Yes, it works! But only as a simple search:

search | rename info_max_time as _time

However if I want to subsearch that, Splunk doesn't agree with me.

dbryan · ‎10-17-2012

Are you trying to rename it as _time so that Splunk uses it as the time of the event? In my experience I haven't had any success getting Splunk to treat a different field as the native time of the event at search time.

the_wolverine · ‎10-17-2012

Yeah, I'm seeing odd behavior as well but I'm not sure how I would timechart this if I don't use _time?

My outersearch is just (filtered) events, all fields. I'm trying to combine 2 sources of data so I can timechart them all based on _time.

bmacias84 · ‎10-17-2012

Why not rename info_max_time as another name rather than using _time? Personally I've noticed quarky thing when renaming field to metadata fields when performing complex searches. Another question in your outer search are you using "...| fields ," before performing a subsearch or append?

How to use info_max_time as _time?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes