Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can't use a filed for timestamp

Alaza
Explorer
‎02-28-2018 12:53 AM

Hello,

I have importing a CSV file with the field2 for the timestamp. It's working.
After that I need to create a timechart using the filed1 for the timestamp.
I use this :
|eval _time=strptime(field1, "%d/%m/%Y")
| timechart span=year count(field3)

If I put "all the time" on the timepicker, it works.
But if put "year 2013" on the timepicker the year 2013, the result is the events of the year 2013 based on the index time ( equal to field2) and not the field1.

I don't understand why the timechart is based on the events link to the field1 inside the event link to the field2.

[Version Splunk 6.6.3]

0 Karma
Reply

cmerriman
Super Champion
‎02-28-2018 04:36 AM

the time picker uses the indexed time field for filtering. you will need to add a secondary filter for field1 to filter on, such as <base search> field1=*2013|eval _time=strptime(field1, "%d/%m/%Y")| timechart span=year count(field3)

0 Karma
Reply

Alaza
Explorer
‎02-28-2018 08:22 AM

Hi, as I said I already use |eval _time=strptime(field1, "%d/%m/%Y").
Can you be more precise ?

0 Karma
Reply

cmerriman
Super Champion
‎02-28-2018 08:30 AM

you need to filter for the keyword 2013 in your base search. you can't use your time picker. you'll still need to eval _time to field1 in order to use that field in timechart but to filter for just 2013, you'll need to add it to the beginning of the search.

index=csv field1=*2013|eval _time=strptime(field1, "%d/%m/%Y")| timechart span=year count(field3)
0 Karma
Reply

Alaza
Explorer
‎02-28-2018 09:52 AM

The use of the time picker was the goal, without it, my search not modulabe.

0 Karma
Reply

cmerriman
Super Champion
‎02-28-2018 10:19 AM

try something like this

...
| addinfo 
|eval _time=strptime(field1, "%d/%m/%Y")
| where _time>=info_min_time AND (info_max_time="+Infinity" OR _time<info_max_time) 
| fields - info_min_time info_max_time info_search_time info_sid
| timechart span=year count(field3)
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...