Splunk Search

Can't use a filed for timestamp

Alaza
Explorer

Hello,

I have importing a CSV file with the field2 for the timestamp. It's working.
After that I need to create a timechart using the filed1 for the timestamp.
I use this :
|eval _time=strptime(field1, "%d/%m/%Y")
| timechart span=year count(field3)

If I put "all the time" on the timepicker, it works.
But if put "year 2013" on the timepicker the year 2013, the result is the events of the year 2013 based on the index time ( equal to field2) and not the field1.

I don't understand why the timechart is based on the events link to the field1 inside the event link to the field2.

[Version Splunk 6.6.3]

0 Karma

cmerriman
Super Champion

the time picker uses the indexed time field for filtering. you will need to add a secondary filter for field1 to filter on, such as <base search> field1=*2013|eval _time=strptime(field1, "%d/%m/%Y")| timechart span=year count(field3)

0 Karma

Alaza
Explorer

Hi, as I said I already use |eval _time=strptime(field1, "%d/%m/%Y").
Can you be more precise ?

0 Karma

cmerriman
Super Champion

you need to filter for the keyword 2013 in your base search. you can't use your time picker. you'll still need to eval _time to field1 in order to use that field in timechart but to filter for just 2013, you'll need to add it to the beginning of the search.

index=csv field1=*2013|eval _time=strptime(field1, "%d/%m/%Y")| timechart span=year count(field3)
0 Karma

Alaza
Explorer

The use of the time picker was the goal, without it, my search not modulabe.

0 Karma

cmerriman
Super Champion

try something like this

...
| addinfo 
|eval _time=strptime(field1, "%d/%m/%Y")
| where _time>=info_min_time AND (info_max_time="+Infinity" OR _time<info_max_time) 
| fields - info_min_time info_max_time info_search_time info_sid
| timechart span=year count(field3)
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...