https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292681#M88343 <P>I want to make area graphs of data usage on individual servers based on the timestamp given in the event data and not the default _time values. </P> <P>This is an example of an event:</P> <P>2017-06-29 19:32:57.254, DBNAME="BRMTPRD", SNAP_DATE="2017-06-18 03:00:32.0", TS_TYPE="REDO", TS_NAME="ONLINE_REDO_STBY", ALLOCATED_KB="3686400", USED_KB="3686400", FREE_KB="0", PCT_USED="100", LARGEST="0"</P> <P>I want to use the "SNAP_DATE" field as my "_time" values and then measure the "USED_KB" per day of "SNAP_DATE."</P> <P>Anything helps, thanks. </P> Tue, 29 Sep 2020 14:43:58 GMT twmoffit 2020-09-29T14:43:58Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292681#M88343 <P>I want to make area graphs of data usage on individual servers based on the timestamp given in the event data and not the default _time values. </P> <P>This is an example of an event:</P> <P>2017-06-29 19:32:57.254, DBNAME="BRMTPRD", SNAP_DATE="2017-06-18 03:00:32.0", TS_TYPE="REDO", TS_NAME="ONLINE_REDO_STBY", ALLOCATED_KB="3686400", USED_KB="3686400", FREE_KB="0", PCT_USED="100", LARGEST="0"</P> <P>I want to use the "SNAP_DATE" field as my "_time" values and then measure the "USED_KB" per day of "SNAP_DATE."</P> <P>Anything helps, thanks. </P> Tue, 29 Sep 2020 14:43:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292681#M88343 twmoffit 2020-09-29T14:43:58Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292682#M88344 <P>[]<BR /> SHOULD_LINEMERGE=false<BR /> NO_BINARY_CHECK=true<BR /> TIME_FORMAT=%Y-%m-%d %H:%M:%S.%3N<BR /> TIME_PREFIX=\d+-\d+-\d+\s\d+:\d+:\d+.\d+\,\sDBNAME=\"\S+\",\sSNAP_DATE=\"<BR /> MAX_TIMESTAMP_LOOKAHEAD=21<BR /> CHARSET=UTF-8</P> Tue, 29 Sep 2020 14:41:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292682#M88344 sbbadri 2020-09-29T14:41:50Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292683#M88345 <P>Hi twmoffit,<BR /> try something like this:</P> <PRE><CODE>your_search | eval SNAP_DATE=strptime(SNAP_DATE,"%Y-%m-%d %H:%M:%S.%N") | bin span=1d SNAP_DATE | eval SNAP_DATE=strftime(SNAP_DATE,"%Y-%m-%d") | chart sum(USED_KB) by SNAP_DATE </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Fri, 30 Jun 2017 13:51:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292683#M88345 gcusello 2017-06-30T13:51:05Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292684#M88346 <P>Similar to what @sbbadri proposed following should be added for your existing sourcetype definition (<CODE>TIME_PREFIX=SNAP_DATE="</CODE> should be sufficient):</P> <PRE><CODE>[Your_Source_Type] TIME_FORMAT=%Y-%m-%d %H:%M:%S.%N TIME_PREFIX=SNAP_DATE=" MAX_TIMESTAMP_LOOKAHEAD=21 </CODE></PRE> <P>You would need to re-index existing data.</P> Fri, 30 Jun 2017 13:53:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292684#M88346 niketn 2017-06-30T13:53:38Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292685#M88347 <PRE><CODE>Base Search ... | eval _time = strptime(SNAP_DATE, "%Y-%m-%d %H:%M:%S.%1Q") | timechart span=1d avg(USED_KB) </CODE></PRE> <P>Obviously, replace <CODE>avg(blah)</CODE> with max or some other function as necessary.</P> Fri, 30 Jun 2017 13:55:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292685#M88347 Richfez 2017-06-30T13:55:12Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292686#M88348 <P>Great that works but now how do I make it so that the data is split up by the database name. I want to be able to compare the usages by each database in the index and create one graph showing the difference.</P> Fri, 30 Jun 2017 13:55:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292686#M88348 twmoffit 2017-06-30T13:55:51Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292687#M88349 <P>... | rex field=_raw "DBNAME=\"(?\S+)\" | chart sum(USED_KB) over SNAP_DATE by DBNAME</P> Tue, 29 Sep 2020 14:41:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292687#M88349 sbbadri 2020-09-29T14:41:54Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292688#M88350 <P>Check out this blog.</P> <P><A href="https://www.splunk.com/blog/2016/09/16/i-cant-make-my-time-range-picker-pick.html">https://www.splunk.com/blog/2016/09/16/i-cant-make-my-time-range-picker-pick.html</A></P> <P>This will make the time range picker work and more.</P> Fri, 18 May 2018 15:29:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292688#M88350 Claw 2018-05-18T15:29:56Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292689#M88351 <P>I followed the instructions on the blog post and could not get it to work. I have a time field within my logs as <BR /> <CODE>year=2018 month=04 day=05 hour=20 event_count=100</CODE>. The event came in <CODE>2018-06-03 2000</CODE>. I want to use the time picker to select events by their year, month, day, hour time fields. NOT when they came in. I overrode <CODE>_time</CODE> as well. This is what I have in my source </P> <PRE><CODE> index=index_1 OR index=index_2 category=mobile event_type=hive_events zone=aws | eval _time=strptime(time,"%Y-%m-%d-%H:%M:%S") | sort - _time | addinfo | where _time &amp;gt;= info_min_time AND (_time &amp;lt;= info_max_time OR info_max_time = "+Infinity") | eval DateHour=year."-".month."-".day."-".hour | eval Start_Time=strftime(info_min_time, "%Y-%m-%d-%H:00") | eval End_Time=strftime(info_max_time, "%Y-%m-%d-%H:00") | table DateHour _time Start_time info_min_time End_time info_max_time zone event_count </CODE></PRE> Tue, 05 Jun 2018 18:08:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292689#M88351 liondancer 2018-06-05T18:08:44Z https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292690#M88352 <P>If I understand your example and you have date and time in year=2018 month=04 day=05 hour=20 you will have to convert this to a single field for the strptime command to work.</P> <P><CODE>| eval my_time=year."-".month."-".day."-".hour."-0-0"</CODE><BR /> <CODE>| eval _time=strptime(my_time,"%Y-%m-%d-%H:%M:%S")</CODE></P> <P>Hope this helps.</P> Tue, 05 Jun 2018 20:55:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-change-the-time-to-values-inside-the-event-data/m-p/292690#M88352 Claw 2018-06-05T20:55:59Z