Splunk Search

How to make another field as date field instead of _time?


I am doing a chart command on two fields as below

index=main sourcetype=csv "Site "=* "Content "=* | chart count( Views) by "Event Date"

The above command gives the count of view for each event date

Event Date count( Views)
2/14/2018 408960
2/15/2018 427769

but when I select the date range from the time picker the data is not changing,how can I make the "Event data" change on selecting the desired date range

Tags (2)
0 Karma

Super Champion

You can change the _time to have values from field Event Date, at search time like this, but note that the time range will still apply from the older value of _time.

your base search | eval _time=strptime("Event Date","%m/%d/%Y")  | timechart span=1d count( Views)

let me know if this helps!

0 Karma


I tried this before but it does not show any results and other thing is that all the interesting and selected fields will not be seen

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>