Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to visualize data using the time field from the raw data, as opposed to the Timestamp?

phildefer
Explorer
‎11-12-2023 12:33 PM

Hello, I am a beginner with Splunk. I am experimenting with a csv dataset containing the daily average temperature for different cities across the world. As a first step, I would like to see, for a given city, the graph for the average temperature over time. However by default, the X axis on the timechart shows the timestamp of the source file, as opposed to the time field contained in each event. As a result, all events show the same date, which is probably the date the dataset was created.

How do I use the "Date" field contained in each event, instead of the Timestamp of the dataset file?

Thanks,

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-12-2023 01:54 PM

As @tscroggins says, it's always important to get your ingest dates correctly extracted from the data in the first place.

However, to extract a time from a field in the data you use the strptime() function, e.g.

| eval _time=strptime(date_field, "format_string")

which will overwrite the existing _time field with the time converted from your data field called date_field according to the format string you specify.

Time format variables are documented here

https://docs.splunk.com/Documentation/Splunk/9.1.1/SearchReference/Commontimeformatvariables

e, g. this example, which you can paste into your search bar will convert the string in my_date_field to _time.

| makeresults
| eval my_date_field="2023-11-13 08:01:02.123"
| eval _time=strptime(my_date_field, "%F %T.%Q")

Note that times are converted to epoch times, but the _time field is special in that it will show you the formatted date, rather than the epoch.

Reply

tscroggins
Influencer
‎11-12-2023 01:36 PM

Hi @phildefer,

I would normally recommend extracting the timestamp correctly when the data is indexed, but if you've uploaded the csv file as a lookup file, your approach would differ.

How are you searching the data? How is the Date field formatted?

0 Karma
Reply

phildefer
Explorer
‎11-12-2023 01:54 PM

Date has YYYY-MM-DD format. I managed changing the '_time'  field by using  the command:
eval _time=strptime(Date,"%Y-%m-%d")

Now the Time column in the events list shows the date in the dd/mm/yyyy, with the actual time of 00:00:00.000

Reply

tscroggins
Influencer
‎11-12-2023 02:10 PM

As @bowesmana noted, this is the way. The timestamp is time zone-aware, though, so be mindful of the offset. If you prefer, you can include a time zone in your conversion, e.g. as a shortcut for for UTC:

eval _time=strptime(Date."Z", "%Y-%m-%d%Z")

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...