Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Hardcoded Time Bucketing

zgoda
Explorer
‎08-20-2018 11:29 AM

Hi guys,

I was recently given a new data index that has hardcoded time stamps in the event rather than being based on _time. The events are also re-indexed every night rather than being ingested when the event occurred making this more complex. For example, an event that happened aug 14th will have a hardcoded epoch of aug 14th yet the splunk _time date is yesterday evening. Using this data, I have been able to create a time chart but I am having trouble with months with no events. The months that have no events are being skipped (see below picture) because there is no data for that particular month. How can you create buckets based on the hard coded dates or create something to fill these no existent months?
alt text

Tags (1)
Preview file
26 KB
0 Karma
Reply

DalJeanis
Legend
‎08-21-2018 01:19 PM

1) in your search you can assign the hardcoded epoch time value to_time to put the event in the right place.

2) use continuous=t on your timechart to set the time gaps at 0.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...