topic Re: How to make another field as date field instead of _time? in Splunk Search

How to make another field as date field instead of _time?

vrmandadi — Tue, 20 Feb 2018 22:45:11 GMT

I am doing a chart command on two fields as below

index=main sourcetype=csv "Site "=* "Content "=* | chart count( Views) by "Event Date"

The above command gives the count of view for each event date

Event Date count( Views)
2/14/2018 408960
2/15/2018 427769

but when I select the date range from the time picker the data is not changing,how can I make the "Event data" change on selecting the desired date range

Re: How to make another field as date field instead of _time?

mayurr98 — Wed, 21 Feb 2018 08:11:55 GMT

You can change the _time to have values from field Event Date, at search time like this, but note that the time range will still apply from the older value of _time.

your base search | eval _time=strptime("Event Date","%m/%d/%Y")  | timechart span=1d count( Views)

let me know if this helps!

Re: How to make another field as date field instead of _time?

vrmandadi — Wed, 21 Feb 2018 14:50:10 GMT

I tried this before but it does not show any results and other thing is that all the interesting and selected fields will not be seen