I want to use a field that is present in my log message (field in the JSON response) to chart my data, rather than the internal field splunk uses (re: _time).
When trying to plot over my specified field, I don't produce any results (even after converting the epoch into a human readable string).
Question: How can I use a timestamp in the event message instead of the internal field that splunk is using?
There are two timestamps present:
1. the internal field in splunk. re: '_time' <--- Is this the indexing time of when splunk processes the log?
2. 'message.timestamp' <--- this is the epoch timestamp of the "response" from the script that is producing the results (it queries an api and posts the data to splunk). This is the actual time of when the event occurs, and the field I'd like to use to plot my data in a line graph.
Does not work
index="index" sourcetype="sourcetype") | rename message.account as Account | search Account=account name "message.title"="name" | bin span=1m _time | dedup _time, message.title | eval epochTimestamp=strftime('message.timestamp'/1000,"%Y-%m-%dT%H:%M:%S.%N") | chart span=1m sum(message.concurrent_sessions_minus_new60s) as "Concurrent sessions" over epochTimestamp by Account