I've got certain events that I want to send to collect. I see the addtime option (defaults to true). What does it do?
My assumption was that setting it to false (addtime=f) uses the _time of the original event, but that doesn't seem to be the case. No matter what I use, t or f, I get a timestamp of the current time when my search was piped to collect. For example:
mysearch for two files | diff | collect index=summary addtime=f
(The search outputs just fine with the correct date when I append | addinfo to the end of the search above.)
Splunk version 4.1.4.
First of all, the option only has an effect if the results going into collect
do not have a _raw
field, i.e., usually output of (si
)stats
or (si
)timechart
. If you're using the diff
command, I expect you would have a _raw
field, so it doesn't do anything.
In the case where there is no _raw
field, specifiying addtime=f
will have Splunk go through it's generic date detection against fields in whatever order they happen to be in the summary rows (usually lexicographic by field name). Using addtime=t
ensures that the search time range info_min_time
(which is added by sistats
) or _time
in the summary data gets used instead.
Thanks for the response. Is there some other way to inject my diff result into the index?