I understand we can re-write _time with particular timefield with this formula eval _time=strptime(time_submitted, "%m/%d/%Y") but if I re-write the _time, I notice that the time pickers on the right of the search box are not working. I can't select for data Yesterday, or Month to date, etc...
Is there a way to select timerange with the fields that we like?
The search that I am looking to run similar to a SQL query:
SELECT time_created, time_completed, order_id
WHERE time_created > "mm-dd-yyyy hh:mi:ss"
the best would be to chose the correct field for _time at indexing time. if you want _time to be something else, for example it should alwas have the time of field time_created, you should configure this in the sourcetype.
You could also use eval epoch=strptime(time_created, "%m/%d/%Y"), then you have an epoch in field epoch and you can use this field in your search, for example: index=myTable | eval epoch=strptime(time_created, "%m/%d/%Y") | where epoch > 1440490286 | table time_created time_completed order_id
The backfall is, that you still have to chose a time in the default timerangepicker, therefore, you should use a timerange that definitly covers your results.