Splunk Search
Highlighted

Can't use a filed for timestamp

Explorer

Hello,

I have importing a CSV file with the field2 for the timestamp. It's working.
After that I need to create a timechart using the filed1 for the timestamp.
I use this :
|eval _time=strptime(field1, "%d/%m/%Y")
| timechart span=year count(field3)

If I put "all the time" on the timepicker, it works.
But if put "year 2013" on the timepicker the year 2013, the result is the events of the year 2013 based on the index time ( equal to field2) and not the field1.

I don't understand why the timechart is based on the events link to the field1 inside the event link to the field2.

[Version Splunk 6.6.3]

0 Karma
Highlighted

Re: Can't use a filed for timestamp

Super Champion

the time picker uses the indexed time field for filtering. you will need to add a secondary filter for field1 to filter on, such as <base search> field1=*2013|eval _time=strptime(field1, "%d/%m/%Y")| timechart span=year count(field3)

0 Karma
Highlighted

Re: Can't use a filed for timestamp

Explorer

Hi, as I said I already use |eval _time=strptime(field1, "%d/%m/%Y").
Can you be more precise ?

0 Karma
Highlighted

Re: Can't use a filed for timestamp

Super Champion

you need to filter for the keyword 2013 in your base search. you can't use your time picker. you'll still need to eval _time to field1 in order to use that field in timechart but to filter for just 2013, you'll need to add it to the beginning of the search.

index=csv field1=*2013|eval _time=strptime(field1, "%d/%m/%Y")| timechart span=year count(field3)
0 Karma
Highlighted

Re: Can't use a filed for timestamp

Explorer

The use of the time picker was the goal, without it, my search not modulabe.

0 Karma
Highlighted

Re: Can't use a filed for timestamp

Super Champion

try something like this

...
| addinfo 
|eval _time=strptime(field1, "%d/%m/%Y")
| where _time>=info_min_time AND (info_max_time="+Infinity" OR _time<info_max_time) 
| fields - info_min_time info_max_time info_search_time info_sid
| timechart span=year count(field3)
0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.