I am looking to chart my data based on another time field than the default _time that splunk uses.
is this possible? how do i go about doing this?
@esmonder, you would need to ensure that the other field is converted to epoch time and not string time using function strptime()
function. You would then have two options:
1) Override _time with your epoch time and feed to timechart command ie.
| eval your_epoch_time=strptime(your_string_time,"<YourEpochTimeFormat>")
| eval _time=your_epoch_time
| timechart ....
PS: Refer to Date Time formats or provide sample of your date time field name and values: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
2) Use chart command to plot stats similar to timechart with over your_epoch_time
to ensure x-axis is your epoch time. You would also need to fieldformat
with strftime()
to convert epoch time to string time so that you can read the same on chart
| eval your_epoch_time=strptime(your_string_time,"<YourEpochTimeFormat>")
| chart .... over your_epoch_time ...
Refer to strftime()
, strptime()
(http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#strftime.28X...) and fieldformat
command (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldformat) on Splunk Documentation.
If you need further assistance, please add your current time field values and stats you want to perform
@esmonder, you would need to ensure that the other field is converted to epoch time and not string time using function strptime()
function. You would then have two options:
1) Override _time with your epoch time and feed to timechart command ie.
| eval your_epoch_time=strptime(your_string_time,"<YourEpochTimeFormat>")
| eval _time=your_epoch_time
| timechart ....
PS: Refer to Date Time formats or provide sample of your date time field name and values: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
2) Use chart command to plot stats similar to timechart with over your_epoch_time
to ensure x-axis is your epoch time. You would also need to fieldformat
with strftime()
to convert epoch time to string time so that you can read the same on chart
| eval your_epoch_time=strptime(your_string_time,"<YourEpochTimeFormat>")
| chart .... over your_epoch_time ...
Refer to strftime()
, strptime()
(http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/DateandTimeFunctions#strftime.28X...) and fieldformat
command (http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldformat) on Splunk Documentation.
If you need further assistance, please add your current time field values and stats you want to perform