Splunk Search
Highlighted

Is it possible to create a timechart from a time field in a CSV or lookup?

Contributor

host,value,timestamp
a1,30,24-Oct-15 00:00
a1,10,24-Oct-15 01:00
a1,5,24-Oct-15 02:00
a2,3,24-Oct-15 00:00
a2,5,24-Oct-15 01:00

I'm wondering if it's possible using either inputcsv or inputlookup (if the csv is a lookup table) to do something like:

|inputcsv mycsv | search host=a1 | timechart span=1h avg(value) by host

(obviously, that doesn't work ... and I'm thinking that the only way to do this is to index the CSV with the TIME_FORMAT defined based on the 'timestamp' field.)

I probably shouldn't even be asking this to begin with 😉

Highlighted

Re: Is it possible to create a timechart from a time field in a CSV or lookup?

Splunk Employee
Splunk Employee

oh yeah. definitely.

You'll use inputlookup to get csv files loaded. Here is a doc on doing that. However, you'll need to turn the timestamp into a timestamp with eval:

| eval _time = strptime(timestamp, "%d-%b-%y")

Then, you can go ahead and just do:

| timechart span=1h max(value) as max_value by host

So the total search:

| inputlookup data.csv
| eval _time = strptime(timestamp, "%d-%b-%y")
| timechart span=1h max(value) as max_value by host
0 Karma
Highlighted

Re: Is it possible to create a timechart from a time field in a CSV or lookup?

SplunkTrust
SplunkTrust

do slow today 🙂

0 Karma
Highlighted

Re: Is it possible to create a timechart from a time field in a CSV or lookup?

Contributor

You all are awesome.
The creation of _time via strptime worked perfectly

Thank you

0 Karma
Highlighted

Re: Is it possible to create a timechart from a time field in a CSV or lookup?

Motivator

True. Since the timechart command uses the _time field in your event data, that search query will not work, unless you have an _time field in your csv file.

Thanks

0 Karma
Highlighted

Re: Is it possible to create a timechart from a time field in a CSV or lookup?

SplunkTrust
SplunkTrust

Hi pkeller,

yes, you can use eval strptime() on the timestamp field to parse the value as timestamp, see docs http://docs.splunk.com/Documentation/Splunk/6.3.0/SearchReference/Timechart for more details. So try this:

 |inputcsv mycsv | search host=a1 | eval _time=strptime(timestamp, "%d-%b-%y %H:%M")  | timechart span=1h avg(value) by host

Hope this helps ...

cheers, MuS

View solution in original post

Highlighted

Re: Is it possible to create a timechart from a time field in a CSV or lookup?

Path Finder

I had a similar problem.

0 Karma