Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use of _indextime field in table or stats command

rakshithreddy
Explorer
‎10-31-2017 04:04 PM

Hi All

How can I use _indextime field in table or stats command without renaming or converting it.

Not working
Ex: * | table host source sourcetype _time _indextime _raw

Its working if I rename the _indextime or convert the _indextime, But I want the results with _indextime as field

Working
Ex: * | eval indextime=_indextime | table host source sourcetype _time indextime _raw

Thank you

Tags (1)
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-01-2017 11:17 AM

Hi @rakshithreddy,

_indextime is an internal filed and a hidden field, it will not be displayed in search results unless renamed or used with an eval.

So whenever you eval _indextime it will work.

Please refer below document for more information.

http://docs.splunk.com/Documentation/Splunk/7.0.0/Knowledge/Usedefaultfields

Thanks
Happy Splunking

0 Karma
Reply

rakshithreddy
Explorer
‎11-01-2017 11:34 AM

Hello

Thanks for reply

We can display _raw , _time not _indextime & not sure why

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-01-2017 11:41 AM

Hi @rakshithreddy,

Good question.

_raw and _time is NOT hidden field.

The _raw field contains the original raw data of an event. The search command uses the data in _raw when performing searches and data extraction.

The _time field contains an event's timestamp expressed in Unix time. This field is used to create the event timeline in Splunk Web.

_indextime is a hidden field that's why we have to eval _indextime to make in use.

🙂

Thanks

0 Karma
Reply

rakshithreddy
Explorer
‎11-01-2017 12:00 PM

Good to know,
But I was looking for anyway if we cheat this thing.

Thank you

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-01-2017 12:13 PM

Hi @rakshithreddy,

Yes, for you I have a trick but in configuration.

If we set EVAL in props.conf then we don't need eval in any search in the app.

Just put below configuration in props.conf.

[MY_SOURCETYPE]
EVAL-indextime=_indextime

Search:

sourcetype=MY_SOURCETYPE | table _time indextime

Thanks
Happy Splunking.

0 Karma
Reply

ddrillic
Ultra Champion
‎10-31-2017 04:24 PM

Try please - base search | eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") | table indextime

Reply

rakshithreddy
Explorer
‎10-31-2017 04:35 PM

thanks for reply,

I want it to be -
base search | table _indextime, the field name should be _indextime as i am sending these results to an external application & that application can only detect if its _indextime

0 Karma
Reply

Lucas_K
Motivator
‎10-31-2017 04:51 PM

I think you're out of luck. You can't display exact "_indextime" as the output will always filter.

You can fake it and put in a space though.

index=_internal | rename _indextime AS " _indextime"| table host " _indextime"

Notice the space in the quotes.

0 Karma
Reply

ddrillic
Ultra Champion
‎10-31-2017 05:57 PM

No luck -

alt text

Preview file
1 KB
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...