Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Reconfiguring timestamp to match csv row, not indexing time

jamesandy51
Explorer
‎01-23-2019 12:46 PM

alt text

Hi! I am attaching a screenshot of my query as the problem is immediately apparent. I am searching only for dates 1/14-1/18. I have data in Splunk that has a "day" and "hour" column, and I want that to be the source of truth for my dates. I think Splunk is ignoring them and setting a timestamp based on time of index. Can you please tell me how to troubleshoot configuring the timestamp? As you can see, I am trying to display _time or timestamp but these are not even selected fields. How do I make my query only contain the dates within my selected range (excluding 1/04, 1/07, etc.)

Tags (1)
Preview file
1 KB
0 Karma
Reply

Vijeta
Influencer
‎01-23-2019 01:12 PM

you could instead of day use _time and get the actual date from _time.
eval date = strftime(_time,"%Y-%m-%d")

0 Karma
Reply

jamesandy51
Explorer
‎01-23-2019 01:21 PM

Sorry, not sure I understand your suggestion. You can see that _time is empty in my table, so using that field returns no results. "day" is a column header in my data which has the timestamp I want to use, so I definitely want that field included in my query.

0 Karma
Reply

Vijeta
Influencer
‎01-23-2019 01:30 PM

_time by default is never empty it always has timestamps. In your table it is empty because you are using stats by day and not by _time. The result of your stats is table with reqs and day field. So you cannot see _time field as its already removed by stats command

0 Karma
Reply

jamesandy51
Explorer
‎01-23-2019 01:50 PM

Even if I use _time, it is still returning results from the days outside of my selected time range. How do I make the time range apply to the dates that I want? I have it now so that eval _time is returning the correct dates, but the results are still being returned are still all of the ones indexed during those dates.

0 Karma
Reply

Vijeta
Influencer
‎01-23-2019 01:58 PM

The time range looks time from _time , so if you select time from 14th jan to 18th jan, it will pick time from _time from that range only. Try below search

  network="client"  venue_id IN(venue_name)| bin span=1d _time| stats sum(req_spots) as req by _time| fields _time  reqs
0 Karma
Reply

jamesandy51
Explorer
‎01-23-2019 02:32 PM

Sorry, but as I explained this will not work. This query groups all the requests between 1/04-1/15 into the 1/15 timestamp. This is because all of this data was indexed on 1/15. I do not want the _time to look at when the data was indexed. I want it to look at the timestamp within the csv.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...