Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use info_max_time as _time?

the_wolverine
Champion
‎10-17-2012 03:00 PM

I'm running a search where I perform a rename of another time field to _time:

mysummarysearch | rename info_max_time as _time

It works as a simple search but if I try to do anything bolder, like use it in a subsearch and append to another search, I lose the results of the subsearch entirely (only the results of the outer search are returned.)

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

the_wolverine
Champion
‎10-18-2012 03:49 PM

Thanks for all the suggestions! I have to use a specific start time for my use case -- but based on the suggestions in comments, I've gotten this to work:

Here is my query with subsearch

[search index=summary marker=abc earliest=1350595800 | rename info_max_time as _time | format maxresults=0 ] OR index=main sourcetype=xyz OR sourcetype=123 earliest=1350595800 | timechart span=10m count(eval(sourcetype=="abc")) as XYZ count(eval(sourcetype=="123")) as 123 count(eval(marker=="abc")) as ABC

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

the_wolverine
Champion
‎10-18-2012 03:49 PM

Thanks for all the suggestions! I have to use a specific start time for my use case -- but based on the suggestions in comments, I've gotten this to work:

Here is my query with subsearch

[search index=summary marker=abc earliest=1350595800 | rename info_max_time as _time | format maxresults=0 ] OR index=main sourcetype=xyz OR sourcetype=123 earliest=1350595800 | timechart span=10m count(eval(sourcetype=="abc")) as XYZ count(eval(sourcetype=="123")) as 123 count(eval(marker=="abc")) as ABC
0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎10-18-2012 10:35 AM

I haved used the following instead of using timechart.



mysummarysearch | rename info_max_time as ctime | chart span=5m max(mycount) as "Max Count" over ctime  by host





mysummarysearch | rename info_max_time as ctime | stats max(cpu) as mcpu, stdev(cpu) as scpu | fields ctime, mcpu, scpu

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎10-17-2012 11:48 PM

Can you post the subsearch where you were attempting to use the _time values as arguments to the outer search? If you use time arguments in the search clause you have to use the earliest and latest search terms, ie earliest=-24h, or earliest=1350408576. So really if you want to use them as search arguments you need to rename them to earliest and latest...

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎10-17-2012 07:41 PM

Yes, it works! But only as a simple search:

search | rename info_max_time as _time

However if I want to subsearch that, Splunk doesn't agree with me.

0 Karma
Reply
Solved! Jump to solution

dbryan
Path Finder
‎10-17-2012 05:12 PM

Are you trying to rename it as _time so that Splunk uses it as the time of the event? In my experience I haven't had any success getting Splunk to treat a different field as the native time of the event at search time.

0 Karma
Reply
Solved! Jump to solution

the_wolverine
Champion
‎10-17-2012 04:42 PM

Yeah, I'm seeing odd behavior as well but I'm not sure how I would timechart this if I don't use _time?

My outersearch is just (filtered) events, all fields. I'm trying to combine 2 sources of data so I can timechart them all based on _time.

0 Karma
Reply
Solved! Jump to solution

bmacias84
Champion
‎10-17-2012 03:34 PM

Why not rename info_max_time as another name rather than using _time? Personally I've noticed quarky thing when renaming field to metadata fields when performing complex searches. Another question in your outer search are you using "...| fields ," before performing a subsearch or append?

0 Karma
Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...