topic Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected in Splunk Search

Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

andimnf — Sat, 16 Nov 2019 11:25:22 GMT

Hi,
I need to perform a timechart count for a particular field. The dates in the field aren't related to the timestamp the log was received and can go back to dates a few years ago, and so I overwrite the _time and convert the field to epoch. This works well and the figures in the graph are accurate. However if I try and select the timeframe for 'last 7 days' or 'last 30 days' for example the timechart still shows all entries including those going back to 2017.

index=example sourcetye=examplesource| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y") | eval _time=epoch_logged_time | timechart count span=7d

What's going on here?

TIA

Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

andimnf — Sat, 16 Nov 2019 11:51:52 GMT

I see now that the timeframe is created before the eval overwrites the _time field.

is there anything I can do here to show specific times?

Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

woodcock — Sun, 17 Nov 2019 02:24:26 GMT

Like this:

index=example sourcetye=examplesource earliest=0 latest=now
| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y")
| eval _time=epoch_logged_time
| addinfo
| where ((_time >= info_min_time) AND (_time=="+Infinity" OR _time<=info_max_time))
| timechart fixedrange=f count span=7d

Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

andimnf — Sun, 17 Nov 2019 08:42:00 GMT

Thanks, but I get errors on the +Infinity value. I tried swapping that out for 'now' but it still just displays all time.

Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

andimnf — Sun, 17 Nov 2019 09:27:14 GMT

So I got this to do what I wanted using the following search. It's not the prettiest so I'm still wondering if there's a better way.

...| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y")  | eval _time=epoch_logged_time | where _time>now()-7257600 | timechart count span=7d

Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

woodcock — Sun, 17 Nov 2019 14:28:25 GMT

You also need fixedrange=false. I updated my answer.

Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

woodcock — Sun, 17 Nov 2019 14:31:48 GMT

Try my updated answer. It should do exactly what you need as selected by the Time picker.

Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

andimnf — Mon, 18 Nov 2019 09:09:19 GMT

Thanks again. This still isn't taking the input from the timepicker and is just showing all dates.

Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

to4kawa — Mon, 18 Nov 2019 12:24:16 GMT

| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-2y@d"), relative_time(_time,"@d")) 
| makecontinuous span=1d
| eval time=now()
| streamstats count
| eval time=relative_time(time,"-".count."d@d")
| eval value=random() % 50 + 1
| bin span=7d time
| chart sum(value) as count by time
| rename time as _time

Anyway, even if it is not timechart, you can create a time series table.
Isn't it ok to limit _time with where, create a table, and rename it?

Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

woodcock — Mon, 18 Nov 2019 14:08:19 GMT

That seems pretty impossible because my answer is a slightly improved version of what you said in your other answer is already working. The addinfo part takes the timepicker's values and trims based on that instead of hard-coded. Are you sure that you are using what I posted?

Re: Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

andimnf — Mon, 18 Nov 2019 16:57:35 GMT

Yes, I copied and pasted it from here.

I see now it needs to have the "earliest=0 latest=now" removed for this to work.

Thanks for your help.