Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can I use an extracted date field as my _time ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shariinPH
Contributor
04-20-2015
01:59 AM
Splunk indexed my data and gets the timestamp by its Date Modified (modtime)
Now in my events, I also have an extracted date field with the format MM/DD/YYYY
I've got to get that date field to use on my timechart.
Can I use that extracted date field as my _time for my time chart? Is it possible?
Thanks 🙂
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tom_frotscher
Builder
04-20-2015
02:57 AM
I see two possible solutions:
1) You reconfigure your inputs.conf and props.conf, to make splunk recognize your date field and use it to determine _time.
2) You do some search magic to use an other field as _time for your timechart. I think what you can do ist to use an eval command to store the information of an other field in your _time field:
... | eval _time = 'extracted_date_field' | timechart ...
Keep in mind, that your extracted_date_field should be an epoch. Therefore you might have to use the strptime command before:
... | eval extracted_date_field = strptime('extracted_date_field', "%m/%d/%Y") | eval _time = 'extracted_date_field' | timechart ...
Havn't tested it, but i think something like this should work.
Grettings
Tom
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tom_frotscher
Builder
04-20-2015
02:57 AM
I see two possible solutions:
1) You reconfigure your inputs.conf and props.conf, to make splunk recognize your date field and use it to determine _time.
2) You do some search magic to use an other field as _time for your timechart. I think what you can do ist to use an eval command to store the information of an other field in your _time field:
... | eval _time = 'extracted_date_field' | timechart ...
Keep in mind, that your extracted_date_field should be an epoch. Therefore you might have to use the strptime command before:
... | eval extracted_date_field = strptime('extracted_date_field', "%m/%d/%Y") | eval _time = 'extracted_date_field' | timechart ...
Havn't tested it, but i think something like this should work.
Grettings
Tom
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shariinPH
Contributor
04-20-2015
08:34 PM
will try this one. thanks tom!
Get Updates on the Splunk Community!
.conf25 Registration is OPEN!
Ready. Set. Splunk!
Your favorite Splunk user event is back and better than ever. Get ready for more technical ...
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
