Getting Data In

How can I use an epoch timestamp in my event messages over the internal, '_time' field for chart/timechart commands?

jcris2840
New Member

Expected Results
I want to use a field that is present in my log message (field in the JSON response) to chart my data, rather than the internal field splunk uses (re: _time).

Actual Results:
When trying to plot over my specified field, I don't produce any results (even after converting the epoch into a human readable string).

Question: How can I use a timestamp in the event message instead of the internal field that splunk is using?

There are two timestamps present:
1. the internal field in splunk. re: '_time' <--- Is this the indexing time of when splunk processes the log?
2. 'message.timestamp' <--- this is the epoch timestamp of the "response" from the script that is producing the results (it queries an api and posts the data to splunk). This is the actual time of when the event occurs, and the field I'd like to use to plot my data in a line graph.

Example query:

Does not work
index="index" sourcetype="sourcetype") | rename message.account as Account | search Account=account name "message.title"="name" | bin span=1m _time | dedup _time, message.title | eval epochTimestamp=strftime('message.timestamp'/1000,"%Y-%m-%dT%H:%M:%S.%N") | chart span=1m sum(message.concurrent_sessions_minus_new60s) as "Concurrent sessions" over epochTimestamp by Account

Tags (3)
0 Karma

woodcock
Esteemed Legend

Like this:

index="index" AND sourcetype="sourcetype") AND 'message.account'="account name" AND "message.title"="name"
| rename message.account as Account
| eval _time = 'message.timestamp' / 1000
| bin span=1m _time
| dedup _time message.title
| timechart span=1m sum(message.concurrent_sessions_minus_new60s) AS "Concurrent sessions" BY Account
0 Karma

dindu
Contributor

Hi,

Please use the below query.The idea is to evaluate your custom time field to _time

    index="index" sourcetype="sourcetype")
   | rename message.account as Account
   | search Account=account name  "message.title"="name"
   | bin span=1m _time
   | dedup _time, message.title
   | eval  epochTimestamp=strftime('message.timestamp'/1000,"%Y-%m-%dT%H:%M:%S.%N")
   |eval _time=epochTimestamp
   | chart span=1m sum(message.concurrent_sessions_minus_new60s) as "Concurrent sessions"  by Account
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...