Hi. I have a query to generate the events with timestamp, "_time", from the original events and ingested to a summary index. How can I set up the "_time" from the original events as "_time" from the summary index?
The collect
command will default to addtime=true
, which generally means that the _time value for the collected event will be the earliest time of the search that generated the summary event. See the docs for more details.
To fix this for the case you've described, set addtime=false
in your collect command, like this:
| fields _time, field1, field2, field3
| collect addtime=false index=my_summary_index
In this case, Splunk will drop "_time" field from the original events.
AFAIK, Splunk should already be using _time from search results as _time in the summary index events. Is it not happening for you? How are you saving your result to summary index, using saved search's summary indexing option or using collect command?
I am using collect command, like,
| fields _time, field1, field2, field3
| collect index=my_summary_index
If you result set includes field _time, the collect command too should set the _time of resulting event in summary index, with same value. Is it not happening for you?
The "_time" from summary index is the time when the data ingested to the summary index, and it is not the time from the event as defined as "_time".
Try running below search (generating dummy data) and collect it to a test index.
| gentimes start=-1 | eval _time=relative_time(now(),"-5m@m") | collect index=main
When you search index=main, the timestamp on event from above search should be about 5 mins from now. If this works, can you share your full search, before your collect command? Mask any sensitive information.
It is not working either. Try this:
| gentimes start=-1
| eval myTime=strptime("2018-03-01 11:00:00", "%Y-%m-%d %H:%M:%S"), report="testing"
|eval _time=relative_time(myTime,"-0m@m")
| fields _time, report
| collect index=my_summary_index
With this, I got following raw data in my summary index, with _time matching the time on raw data (Timerange for search was Yesterday):
03/01/2018 11:00:00 -0600, info_min_time=1520024133.000, info_max_time=1520025033.000, info_search_time=1520025033.882, report=testing
Can you post what search has generated on your system?
It doesn't work for me. Here is the data:
_time _raw
2018-03-02 16:43:45 03/01/2018 11:00:00 -0500, info_min_time=1520023380.000, info_max_time=1520027024.000, info_search_time=1520027024.435, report=testing123