Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field '_time' should have numerical values

Jamietriplet
Explorer
‎05-09-2024 03:07 AM

Hi all,

I am new to splunk, and i have got the following error:

"Field '_time' should have numerical values"  when I try to run a timechart command.

I have got a csv file 'try.csv', which I read in some fields to display, but when I initiate a timechart command I get the above error.

The csv file 'try.csv' has a column named _time, which has an ISO8601 time


I would appreciate any guide or help I can get, as I am relatively new to splunk

Thanks

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dataisbeautiful
Communicator
‎05-09-2024 03:42 AM

Hi @Jamietriplet 

Sounds like _time is being read as a string not as epochtime, try this

| eval _time = strptime(_time, "%Y-%m-%dT%H:%M:%S.%N")

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dataisbeautiful
Communicator
‎05-09-2024 03:42 AM

Hi @Jamietriplet 

Sounds like _time is being read as a string not as epochtime, try this

| eval _time = strptime(_time, "%Y-%m-%dT%H:%M:%S.%N")

 

Reply
Solved! Jump to solution

Jamietriplet
Explorer
‎05-09-2024 04:10 AM

Hi, dataisbeautiful , this worked. Thanks

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-09-2024 03:32 AM

Hi @Jamietriplet,

to use timechart you must use the -time field that's in epochtime format.

If in your csv you have the _time field in a different format, you have to convert in epochtime (using strptime function in eval command) before the timechart command:

Ciao.

Giuseppe

Reply
Solved! Jump to solution

Jamietriplet
Explorer
‎05-09-2024 04:01 AM

Thanks @gcusello 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-09-2024 04:03 AM

Ciao @Jamietriplet ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...