topic Re: Relative Time from Event Field in Splunk Search

Can I resolve this Relative Time from Event Field error?

CannonT — Thu, 19 Jan 2023 15:32:49 GMT

I am trying to extract a field containing the date an event actually happened rather than the _time field because the data is coming from a csv and being entered much later. I want to use this new _time value to limit the search to a window of time that will later be defined by tokens given from a drop down box in the dashboard.

The base search I am using returns the field data in _time correctly.

index=test_index sourcetype=recipients OR sourcetype=opened
    | eval _time=strptime(eventDate, "%m/%d/%Y")  
    | table _time

However, once relative time is added to the equation I get error: "No matching fields exist
[] Some events were removed by Timeliner because they were missing _time."
In addition to this the fields are merely put in descending order from the most recent time rather than being limited to the relative time range. Is there another way to do this?

 index=test_index sourcetype=recipients OR sourcetype=opened
    | eval _time=strptime(eventDate, "%m/%d/%Y") 
    | stats values(_time)
    | where _time>=relative_time(now(),"-1m") AND _time<=now()
    | table _time

Re: Relative Time from Event Field

somesoni2 — Thu, 29 May 2014 13:34:01 GMT

Try using names other than _time while converting eventDate to epoch.

Re: Relative Time from Event Field

Ayn — Thu, 29 May 2014 16:37:27 GMT

Once you do stats values(_time) the only field that will be available to the rest of the search pipeline is a multivalued field called "values(_time)", so the where operation will fail. I'm not sure what the idea is with the stats command, so I'd suggest just removing it altogether.

Re: Relative Time from Event Field

CannonT — Thu, 29 May 2014 16:46:32 GMT

Without it the search doesn't run at all. It was just a stretch to throw something in to make it return something.

Re: Relative Time from Event Field

CannonT — Thu, 29 May 2014 16:49:02 GMT

I tried converting to a time field then eval _time=time. The same thing happened with this as well.

Re: Relative Time from Event Field

Ayn — Thu, 29 May 2014 17:40:48 GMT

Ah. It might be that when you create fields starting with _ they are considered to be internal and therefore 'invisible' to the rest of the search pipeline. Try replacing your stats command with eval time=_time and then perform your eval and where commands against time instead of _time.

Re: Relative Time from Event Field

CannonT — Thu, 29 May 2014 19:16:15 GMT

I'm still receiving no event or results from the search using a time variable instead of _time.

Re: Relative Time from Event Field

kplante — Thu, 19 Jan 2023 02:35:53 GMT

I encountered this same issue and came to the conclusion that Splunk only accepts epoch time formats for the _time field. If I eval _time to a value matching epoch time format, it produces the expected results without the error.