I'm wondering if it's possible using either
inputlookup (if the csv is a lookup table) to do something like:
|inputcsv mycsv | search host=a1 | timechart span=1h avg(value) by host
(obviously, that doesn't work ... and I'm thinking that the only way to do this is to index the CSV with the TIME_FORMAT defined based on the 'timestamp' field.)
I probably shouldn't even be asking this to begin with 😉
oh yeah. definitely.
inputlookup to get csv files loaded. Here is a doc on doing that. However, you'll need to turn the timestamp into a timestamp with
| eval _time = strptime(timestamp, "%d-%b-%y")
Then, you can go ahead and just do:
| timechart span=1h max(value) as max_value by host
So the total search:
| inputlookup data.csv | eval _time = strptime(timestamp, "%d-%b-%y") | timechart span=1h max(value) as max_value by host
You all are awesome.
The creation of _time via strptime worked perfectly
True. Since the timechart command uses the _time field in your event data, that search query will not work, unless you have an _time field in your csv file.
yes, you can use
eval strptime() on the
timestamp field to parse the value as timestamp, see docs http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Timechart for more details. So try this:
|inputcsv mycsv | search host=a1 | eval _time=strptime(timestamp, "%d-%b-%y %H:%M") | timechart span=1h avg(value) by host
Hope this helps ...