Splunk Search

From epoch to _time for make a timechart based search.

cpm003
Path Finder

Hello! i hope you can help me with this.

I´m trying to set as _time an epoch field located at "rt" field.

alt text

But if i try to make an timechart after eval _time=getTime, i receive following error.
alt text

0 Karma
1 Solution

arjunpkishore5
Motivator

strftime converts your epoch time to string and that's why it does not work. All you need is this.

index=business AND combo
| eval _time=rt/pow(10,3)
| timechart count

Please up vote and mark as answer if this works for you.

View solution in original post

arjunpkishore5
Motivator

strftime converts your epoch time to string and that's why it does not work. All you need is this.

index=business AND combo
| eval _time=rt/pow(10,3)
| timechart count

Please up vote and mark as answer if this works for you.

View solution in original post

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!