Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- How can I use an epoch timestamp in my event messa...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I use an epoch timestamp in my event messages over the internal, '_time' field for chart/timechart commands?
Expected Results
I want to use a field that is present in my log message (field in the JSON response) to chart my data, rather than the internal field splunk uses (re: _time).
Actual Results:
When trying to plot over my specified field, I don't produce any results (even after converting the epoch into a human readable string).
Question: How can I use a timestamp in the event message instead of the internal field that splunk is using?
There are two timestamps present:
1. the internal field in splunk. re: '_time' <--- Is this the indexing time of when splunk processes the log?
2. 'message.timestamp' <--- this is the epoch timestamp of the "response" from the script that is producing the results (it queries an api and posts the data to splunk). This is the actual time of when the event occurs, and the field I'd like to use to plot my data in a line graph.
Example query:
Does not work
index="index" sourcetype="sourcetype") | rename message.account as Account | search Account=account name "message.title"="name" | bin span=1m _time | dedup _time, message.title | eval epochTimestamp=strftime('message.timestamp'/1000,"%Y-%m-%dT%H:%M:%S.%N") | chart span=1m sum(message.concurrent_sessions_minus_new60s) as "Concurrent sessions" over epochTimestamp by Account
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Like this:
index="index" AND sourcetype="sourcetype") AND 'message.account'="account name" AND "message.title"="name"
| rename message.account as Account
| eval _time = 'message.timestamp' / 1000
| bin span=1m _time
| dedup _time message.title
| timechart span=1m sum(message.concurrent_sessions_minus_new60s) AS "Concurrent sessions" BY Account
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please use the below query.The idea is to evaluate your custom time field to _time
index="index" sourcetype="sourcetype")
| rename message.account as Account
| search Account=account name "message.title"="name"
| bin span=1m _time
| dedup _time, message.title
| eval epochTimestamp=strftime('message.timestamp'/1000,"%Y-%m-%dT%H:%M:%S.%N")
|eval _time=epochTimestamp
| chart span=1m sum(message.concurrent_sessions_minus_new60s) as "Concurrent sessions" by Account
Splunk Mobile: Your Brand-New Home Screen
Introducing Value Insights (Beta): Understand the Business Impact your organization ...
Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...
