Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can't use a filed for timestamp
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can't use a filed for timestamp
Hello,
I have importing a CSV file with the field2 for the timestamp. It's working.
After that I need to create a timechart using the filed1 for the timestamp.
I use this :
|eval _time=strptime(field1, "%d/%m/%Y")
| timechart span=year count(field3)
If I put "all the time" on the timepicker, it works.
But if put "year 2013" on the timepicker the year 2013, the result is the events of the year 2013 based on the index time ( equal to field2) and not the field1.
I don't understand why the timechart is based on the events link to the field1 inside the event link to the field2.
[Version Splunk 6.6.3]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the time picker uses the indexed time field for filtering. you will need to add a secondary filter for field1 to filter on, such as <base search> field1=*2013|eval _time=strptime(field1, "%d/%m/%Y")| timechart span=year count(field3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, as I said I already use |eval _time=strptime(field1, "%d/%m/%Y").
Can you be more precise ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you need to filter for the keyword 2013 in your base search. you can't use your time picker. you'll still need to eval _time to field1 in order to use that field in timechart but to filter for just 2013, you'll need to add it to the beginning of the search.
index=csv field1=*2013|eval _time=strptime(field1, "%d/%m/%Y")| timechart span=year count(field3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The use of the time picker was the goal, without it, my search not modulabe.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try something like this
...
| addinfo
|eval _time=strptime(field1, "%d/%m/%Y")
| where _time>=info_min_time AND (info_max_time="+Infinity" OR _time<info_max_time)
| fields - info_min_time info_max_time info_search_time info_sid
| timechart span=year count(field3)
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
