Solved: How to create a timechart based on index time?

DEAD_BEEF · ‎08-27-2018

I'm trying to create a timechart to show when logs were ingested. Trying to use _indextime but it doesn't seem to be working. What am I missing on my SPL?

Current query

index=web
| eval _time=strptime(_indextime, "%d-%b-%y %H:%M:%S") 
| timechart span=1h count by index

FrankVl · ‎08-27-2018

You shouldn't be putting a formatted string timestamp into _time. Splunk expects an epoch timestamp there (even though it usually presents _time automatically as a human readable string). So just try eval _time = _indextime.

View solution in original post

DalJeanis · ‎08-27-2018

_indextime is already in epoch. No conversion is needed.

 | eval  _time = _indextime

skoelpin · ‎08-27-2018

Try strftime instead

index=web
 | eval indextime=strftime(_indextime, "%d-%b-%y %H:%M:%S") 
 | timechart span=1h max(indextime) by index

If you wanted to identify indexing lag, you can do this

    index=web
   | eval indextime=strftime(_indextime, "%s") 
   | eval diff=indextime-_time
   | timechart span=1h max(diff) AS diff

FrankVl · ‎08-27-2018

You shouldn't be putting a formatted string timestamp into _time. Splunk expects an epoch timestamp there (even though it usually presents _time automatically as a human readable string). So just try eval _time = _indextime.

How to create a timechart based on index time?

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

Are you a member of the Splunk Community?

How to create a timechart based on index time?

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

First Steps with Splunk SOAR

How To Build a Self-Service Observability Practice with Splunk Observability Cloud