Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How to specify the x axis on the timeline?

cooperuk
New Member
‎10-28-2010 04:10 PM

I have imported a file which has more than one time and date field, splunk is using one of them, however I would like to specify the other time field in the file?

I have been playing around with splunk for a while and have not found an easy way to do it?

Any help would be appreciated.

Cheers

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎10-28-2010 05:02 PM

Assuming your alternate timestamp is already being extracted into a field named EventTime, then you can use eval to replace the original value of the _time field:

| eval _time=EventTime

If you don't have a field extraction set up, you can also use rex to extract the alternate timestamp from _raw into _time.

Be aware that your timestamp needs to be a valid Unix epoch time to work. If your data shows the time in text format, you'll need to convert it first. The exact parameters will vary based on the format. For a date of the form 2010-10-26 14:50:58, you would need:

| eval _time=strptime(EventTime, "%Y-%m-%d %H:%M:%S")

If you are always going to want this timestamp instead of the one that Splunk is extracting automatically, take a look at http://www.splunk.com/base/Documentation/4.1.5/Admin/ConfigurePositionalTimestampExtraction for information on how to modify Splunk's default timestamp recognition.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

southeringtonp
Motivator
‎10-28-2010 05:02 PM

Assuming your alternate timestamp is already being extracted into a field named EventTime, then you can use eval to replace the original value of the _time field:

| eval _time=EventTime

If you don't have a field extraction set up, you can also use rex to extract the alternate timestamp from _raw into _time.

Be aware that your timestamp needs to be a valid Unix epoch time to work. If your data shows the time in text format, you'll need to convert it first. The exact parameters will vary based on the format. For a date of the form 2010-10-26 14:50:58, you would need:

| eval _time=strptime(EventTime, "%Y-%m-%d %H:%M:%S")

If you are always going to want this timestamp instead of the one that Splunk is extracting automatically, take a look at http://www.splunk.com/base/Documentation/4.1.5/Admin/ConfigurePositionalTimestampExtraction for information on how to modify Splunk's default timestamp recognition.

0 Karma
Reply
Solved! Jump to solution

southeringtonp
Motivator
‎10-29-2010 07:16 PM

The date is being extracted in text form, but Splunk needs it in unix epoch time. You will need to convert it - see edits above.

0 Karma
Reply
Solved! Jump to solution

cooperuk
New Member
‎10-29-2010 11:01 AM

*ignore that log.log is a diff file from threatlog.log

Also, sorry I didn’t realise it would takeout the formatting!

0 Karma
Reply
Solved! Jump to solution

cooperuk
New Member
‎10-29-2010 10:58 AM

Thanks for the quick reply.

I have tried the following as a search:
source="c:\Log.log" | rex field=_raw "EventTime: (?.*)" | eval _time="EventTime"

and also I have tried:
source="c:\ThreatLog.log" | eval _time="EventTime"

When I run either of these it says there are 21 things found but does not display anything on the time line and does not list anything below, any ideas?

The first line of the log file is:

2010-10-27 11:45:11 syslogsvc INFO: EventID=1; EventTime=2010-10-26 14:50:58; and some other stuff....

I would like to use EventTime as _time

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...