Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to create a timechart from a time field in a CSV or lookup?

pkeller
Contributor
‎11-11-2015 02:23 PM

host,value,timestamp
a1,30,24-Oct-15 00:00
a1,10,24-Oct-15 01:00
a1,5,24-Oct-15 02:00
a2,3,24-Oct-15 00:00
a2,5,24-Oct-15 01:00

I'm wondering if it's possible using either inputcsv or inputlookup (if the csv is a lookup table) to do something like:

|inputcsv mycsv | search host=a1 | timechart span=1h avg(value) by host

(obviously, that doesn't work ... and I'm thinking that the only way to do this is to index the CSV with the TIME_FORMAT defined based on the 'timestamp' field.)

I probably shouldn't even be asking this to begin with 😉

Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎11-11-2015 02:45 PM

Hi pkeller,

yes, you can use eval strptime() on the timestamp field to parse the value as timestamp, see docs http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Timechart for more details. So try this:

 |inputcsv mycsv | search host=a1 | eval _time=strptime(timestamp, "%d-%b-%y %H:%M")  | timechart span=1h avg(value) by host

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution

sssignals
Path Finder
‎09-09-2017 09:12 AM

I had a similar problem.

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎11-11-2015 02:45 PM

Hi pkeller,

yes, you can use eval strptime() on the timestamp field to parse the value as timestamp, see docs http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Timechart for more details. So try this:

 |inputcsv mycsv | search host=a1 | eval _time=strptime(timestamp, "%d-%b-%y %H:%M")  | timechart span=1h avg(value) by host

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

stephanefotso
Motivator
‎11-11-2015 02:43 PM

True. Since the timechart command uses the _time field in your event data, that search query will not work, unless you have an _time field in your csv file.

Thanks

SGF
0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎11-11-2015 02:40 PM

oh yeah. definitely.

You'll use inputlookup to get csv files loaded. Here is a doc on doing that. However, you'll need to turn the timestamp into a timestamp with eval:

| eval _time = strptime(timestamp, "%d-%b-%y")

Then, you can go ahead and just do:

| timechart span=1h max(value) as max_value by host

So the total search:

| inputlookup data.csv
| eval _time = strptime(timestamp, "%d-%b-%y")
| timechart span=1h max(value) as max_value by host
0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎11-11-2015 02:46 PM

do slow today 🙂

0 Karma
Reply
Solved! Jump to solution

pkeller
Contributor
‎11-11-2015 02:56 PM

You all are awesome.
The creation of _time via strptime worked perfectly

Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...