Solved: Re: How to create a timechart based on index time?

DEAD_BEEF · ‎08-27-2018

I'm trying to create a timechart to show when logs were ingested. Trying to use _indextime but it doesn't seem to be working. What am I missing on my SPL?

Current query

index=web
| eval _time=strptime(_indextime, "%d-%b-%y %H:%M:%S") 
| timechart span=1h count by index

FrankVl · ‎08-27-2018

You shouldn't be putting a formatted string timestamp into _time. Splunk expects an epoch timestamp there (even though it usually presents _time automatically as a human readable string). So just try eval _time = _indextime.

View solution in original post

DalJeanis · ‎08-27-2018

_indextime is already in epoch. No conversion is needed.

 | eval  _time = _indextime

skoelpin · ‎08-27-2018

Try strftime instead

index=web
 | eval indextime=strftime(_indextime, "%d-%b-%y %H:%M:%S") 
 | timechart span=1h max(indextime) by index

If you wanted to identify indexing lag, you can do this

    index=web
   | eval indextime=strftime(_indextime, "%s") 
   | eval diff=indextime-_time
   | timechart span=1h max(diff) AS diff

FrankVl · ‎08-27-2018

You shouldn't be putting a formatted string timestamp into _time. Splunk expects an epoch timestamp there (even though it usually presents _time automatically as a human readable string). So just try eval _time = _indextime.

How to create a timechart based on index time?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation