topic Get daily event count with reference to a field called &quot;TIME_CREATED&quot; rather than using index time in Splunk Search https://community.splunk.com/t5/Splunk-Search/Get-daily-event-count-with-reference-to-a-field-called-quot-TIME/m-p/474483#M133419 <P>Tried to use the below query but unfortunately events are grouped with reference to <STRONG>_time</STRONG> </P> <PRE><CODE>index=omi_UAT host=* sourcetype=all_events_custom_attributes SEVERITY IN (CRITICAL,MAJOR,MINOR) OR (SEVERITY=WARNING AND APPLICATION=NNMi) | dedup ID | timechart count(ID) BY SEVERITY </CODE></PRE> Fri, 03 Jan 2020 13:17:46 GMT anz999 2020-01-03T13:17:46Z Get daily event count with reference to a field called "TIME_CREATED" rather than using index time https://community.splunk.com/t5/Splunk-Search/Get-daily-event-count-with-reference-to-a-field-called-quot-TIME/m-p/474483#M133419 <P>Tried to use the below query but unfortunately events are grouped with reference to <STRONG>_time</STRONG> </P> <PRE><CODE>index=omi_UAT host=* sourcetype=all_events_custom_attributes SEVERITY IN (CRITICAL,MAJOR,MINOR) OR (SEVERITY=WARNING AND APPLICATION=NNMi) | dedup ID | timechart count(ID) BY SEVERITY </CODE></PRE> Fri, 03 Jan 2020 13:17:46 GMT https://community.splunk.com/t5/Splunk-Search/Get-daily-event-count-with-reference-to-a-field-called-quot-TIME/m-p/474483#M133419 anz999 2020-01-03T13:17:46Z Re: Get daily event count with reference to a field called "TIME_CREATED" rather than using index time https://community.splunk.com/t5/Splunk-Search/Get-daily-event-count-with-reference-to-a-field-called-quot-TIME/m-p/474484#M133420 <P>Try this. It assumes TIME_CREATED is in epoch form.</P> <PRE><CODE>index=omi_UAT host=* sourcetype=all_events_custom_attributes SEVERITY IN (CRITICAL,MAJOR,MINOR) OR (SEVERITY=WARNING AND APPLICATION=NNMi) | dedup ID | eval _time = TIME_CREATED | timechart count(ID) BY SEVERITY </CODE></PRE> Fri, 03 Jan 2020 13:42:49 GMT https://community.splunk.com/t5/Splunk-Search/Get-daily-event-count-with-reference-to-a-field-called-quot-TIME/m-p/474484#M133420 richgalloway 2020-01-03T13:42:49Z Re: Get daily event count with reference to a field called "TIME_CREATED" rather than using index time https://community.splunk.com/t5/Splunk-Search/Get-daily-event-count-with-reference-to-a-field-called-quot-TIME/m-p/474485#M133421 <P>Sorry it didn't worked, TIME_CREATED is in the format "2019-12-13 13:32:25.0"</P> Fri, 03 Jan 2020 14:11:23 GMT https://community.splunk.com/t5/Splunk-Search/Get-daily-event-count-with-reference-to-a-field-called-quot-TIME/m-p/474485#M133421 anz999 2020-01-03T14:11:23Z Re: Get daily event count with reference to a field called "TIME_CREATED" rather than using index time https://community.splunk.com/t5/Splunk-Search/Get-daily-event-count-with-reference-to-a-field-called-quot-TIME/m-p/474486#M133422 <P>So convert it.</P> <PRE><CODE>index=omi_UAT host=* sourcetype=all_events_custom_attributes SEVERITY IN (CRITICAL,MAJOR,MINOR) OR (SEVERITY=WARNING AND APPLICATION=NNMi) | dedup ID | eval _time = strptime(TIME_CREATED, "%Y-%m-%d %H:%M:%S.%N") | timechart count(ID) BY SEVERITY </CODE></PRE> Fri, 03 Jan 2020 15:09:35 GMT https://community.splunk.com/t5/Splunk-Search/Get-daily-event-count-with-reference-to-a-field-called-quot-TIME/m-p/474486#M133422 richgalloway 2020-01-03T15:09:35Z