How to set the event time to the time from summary...

splunkrocks2014 · ‎03-02-2018

Hi. I have a query to generate the events with timestamp, "_time", from the original events and ingested to a summary index. How can I set up the "_time" from the original events as "_time" from the summary index?

elliotproebstel · ‎03-02-2018

The collect command will default to addtime=true, which generally means that the _time value for the collected event will be the earliest time of the search that generated the summary event. See the docs for more details.

To fix this for the case you've described, set addtime=false in your collect command, like this:

| fields _time, field1, field2, field3
| collect addtime=false index=my_summary_index

splunkrocks2014 · ‎03-02-2018

In this case, Splunk will drop "_time" field from the original events.

somesoni2 · ‎03-02-2018

AFAIK, Splunk should already be using _time from search results as _time in the summary index events. Is it not happening for you? How are you saving your result to summary index, using saved search's summary indexing option or using collect command?

splunkrocks2014 · ‎03-02-2018

I am using collect command, like,

| fields _time, field1, field2, field3
| collect index=my_summary_index

somesoni2 · ‎03-02-2018

If you result set includes field _time, the collect command too should set the _time of resulting event in summary index, with same value. Is it not happening for you?

splunkrocks2014 · ‎03-02-2018

The "_time" from summary index is the time when the data ingested to the summary index, and it is not the time from the event as defined as "_time".

somesoni2 · ‎03-02-2018

Try running below search (generating dummy data) and collect it to a test index.

| gentimes start=-1 | eval _time=relative_time(now(),"-5m@m") | collect index=main

When you search index=main, the timestamp on event from above search should be about 5 mins from now. If this works, can you share your full search, before your collect command? Mask any sensitive information.

splunkrocks2014 · ‎03-02-2018

It is not working either. Try this:

| gentimes start=-1 
| eval myTime=strptime("2018-03-01 11:00:00", "%Y-%m-%d %H:%M:%S"), report="testing" 
|eval _time=relative_time(myTime,"-0m@m") 
| fields _time, report 
| collect index=my_summary_index

somesoni2 · ‎03-02-2018

With this, I got following raw data in my summary index, with _time matching the time on raw data (Timerange for search was Yesterday):

03/01/2018 11:00:00 -0600, info_min_time=1520024133.000, info_max_time=1520025033.000, info_search_time=1520025033.882, report=testing

somesoni2 · ‎03-02-2018

Can you post what search has generated on your system?

splunkrocks2014 · ‎03-02-2018

It doesn't work for me. Here is the data:

_time                                 _raw
2018-03-02 16:43:45      03/01/2018 11:00:00 -0500, info_min_time=1520023380.000, info_max_time=1520027024.000, info_search_time=1520027024.435, report=testing123

How to set the event time to the time from summary index?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!