Dashboards & Visualizations

Hardcoded Time Bucketing

zgoda
Explorer

Hi guys,

I was recently given a new data index that has hardcoded time stamps in the event rather than being based on _time. The events are also re-indexed every night rather than being ingested when the event occurred making this more complex. For example, an event that happened aug 14th will have a hardcoded epoch of aug 14th yet the splunk _time date is yesterday evening. Using this data, I have been able to create a time chart but I am having trouble with months with no events. The months that have no events are being skipped (see below picture) because there is no data for that particular month. How can you create buckets based on the hard coded dates or create something to fill these no existent months?
alt text

Tags (1)
0 Karma

DalJeanis
Legend

1) in your search you can assign the hardcoded epoch time value to_time to put the event in the right place.

2) use continuous=t on your timechart to set the time gaps at 0.

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...