Getting Data In

How can I use an epoch timestamp in my event messages over the internal, '_time' field for chart/timechart commands?

New Member

Expected Results
I want to use a field that is present in my log message (field in the JSON response) to chart my data, rather than the internal field splunk uses (re: _time).

Actual Results:
When trying to plot over my specified field, I don't produce any results (even after converting the epoch into a human readable string).

Question: How can I use a timestamp in the event message instead of the internal field that splunk is using?

There are two timestamps present:
1. the internal field in splunk. re: '_time' <--- Is this the indexing time of when splunk processes the log?
2. 'message.timestamp' <--- this is the epoch timestamp of the "response" from the script that is producing the results (it queries an api and posts the data to splunk). This is the actual time of when the event occurs, and the field I'd like to use to plot my data in a line graph.

Example query:

Does not work
index="index" sourcetype="sourcetype") | rename message.account as Account | search Account=account name "message.title"="name" | bin span=1m time | dedup _time, message.title | eval epochTimestamp=strftime('message.timestamp'/1000,"%Y-%m-%dT%H:%M:%S.%N") | chart span=1m sum(message.concurrentsessionsminusnew60s) as "Concurrent sessions" over epochTimestamp by Account

Tags (3)
0 Karma

Esteemed Legend

Like this:

index="index" AND sourcetype="sourcetype") AND 'message.account'="account name" AND "message.title"="name"
| rename message.account as Account
| eval _time = 'message.timestamp' / 1000
| bin span=1m _time
| dedup _time message.title
| timechart span=1m sum(message.concurrent_sessions_minus_new60s) AS "Concurrent sessions" BY Account
0 Karma

Contributor

Hi,

Please use the below query.The idea is to evaluate your custom time field to _time

    index="index" sourcetype="sourcetype")
   | rename message.account as Account
   | search Account=account name  "message.title"="name"
   | bin span=1m _time
   | dedup _time, message.title
   | eval  epochTimestamp=strftime('message.timestamp'/1000,"%Y-%m-%dT%H:%M:%S.%N")
   |eval _time=epochTimestamp
   | chart span=1m sum(message.concurrent_sessions_minus_new60s) as "Concurrent sessions"  by Account
0 Karma