Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Use custom time field for individual search

b1388035
Explorer
‎07-08-2013 02:13 AM

I have data coming into Splunk on a daily basis, this data can have event times which are anytime in the last month.

I have saved searches setup to index this data, again on a daily basis. However to ensure the saved search only picks up the new data I have forced splunk to ignore my event's actual time fields and force a _time of when the data was indexed.

So, I now have a problem when using timelines as my search is using then _time field and are not using the real event Time field. Is there any function included where I can force a splunk search to use a custom time field.

Reply
1 Solution
Solved! Jump to solution
Solution

linu1988
Champion
‎07-08-2013 05:24 AM

you need to replace the _time fields as below(if i understand correctly you are using timechart):

your search|eval _time=strptime(Time,"%y/%m/%d %H:%M:%S")|timechart ...

then see in a table if its correct. You will be able to use the timechart option according to the custom Time field. Thanks, hope it clarifies..

View solution in original post

Reply
Solved! Jump to solution
Solution

linu1988
Champion
‎07-08-2013 05:24 AM

you need to replace the _time fields as below(if i understand correctly you are using timechart):

your search|eval _time=strptime(Time,"%y/%m/%d %H:%M:%S")|timechart ...

then see in a table if its correct. You will be able to use the timechart option according to the custom Time field. Thanks, hope it clarifies..

Reply
Solved! Jump to solution

b1388035
Explorer
‎07-08-2013 09:00 AM

Works great for the Splunk timecharts thank you. When using Sideviews' FlashTimeline it doesn't pick up the evaluated _time field but just uses the index time.

0 Karma
Reply
Solved! Jump to solution

b1388035
Explorer
‎07-08-2013 05:10 AM

I have been able to get that stage working so all my events now have a _time of when they were indexed. All events have an additional 'Time' field. So, The issue is how to make use of a custom 'Time' field at search time and ignore _time

Reply
Solved! Jump to solution

linu1988
Champion
‎07-08-2013 03:12 AM

use the props.conf to set up your indexing time rather than the event time.

DATETIME_CONFIG=NONE/ CURRENT

If the data is already indexed there is nothing that can be done. Either it has to be deleted/ the captured time needs to be used.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...