Collect's addtime=true/false : What does it do?

the_wolverine · ‎09-01-2010

I've got certain events that I want to send to collect. I see the addtime option (defaults to true). What does it do?

My assumption was that setting it to false (addtime=f) uses the _time of the original event, but that doesn't seem to be the case. No matter what I use, t or f, I get a timestamp of the current time when my search was piped to collect. For example:

mysearch for two files | diff | collect index=summary addtime=f

(The search outputs just fine with the correct date when I append | addinfo to the end of the search above.)

Splunk version 4.1.4.

gkanapathy · ‎09-01-2010

First of all, the option only has an effect if the results going into collect do not have a _raw field, i.e., usually output of (si)stats or (si)timechart. If you're using the diff command, I expect you would have a _raw field, so it doesn't do anything.

In the case where there is no _raw field, specifiying addtime=f will have Splunk go through it's generic date detection against fields in whatever order they happen to be in the summary rows (usually lexicographic by field name). Using addtime=t ensures that the search time range info_min_time (which is added by sistats) or _time in the summary data gets used instead.

the_wolverine · ‎09-01-2010

Thanks for the response. Is there some other way to inject my diff result into the index?

Collect's addtime=true/false : What does it do?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...