Splunk Search

Overwrite _time with field only shows all entries in timechart ignoring the timeframe selected

andimnf
Explorer

Hi,
I need to perform a timechart count for a particular field. The dates in the field aren't related to the timestamp the log was received and can go back to dates a few years ago, and so I overwrite the _time and convert the field to epoch. This works well and the figures in the graph are accurate. However if I try and select the timeframe for 'last 7 days' or 'last 30 days' for example the timechart still shows all entries including those going back to 2017.

index=example sourcetye=examplesource| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y") | eval _time=epoch_logged_time | timechart count span=7d

What's going on here?

TIA

0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

index=example sourcetye=examplesource earliest=0 latest=now
| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y")
| eval _time=epoch_logged_time
| addinfo
| where ((_time >= info_min_time) AND (_time=="+Infinity" OR _time<=info_max_time))
| timechart fixedrange=f count span=7d

View solution in original post

0 Karma

to4kawa
Ultra Champion
| makeresults count=2 
| streamstats count 
| eval _time = if (count==2,relative_time(_time,"-2y@d"), relative_time(_time,"@d")) 
| makecontinuous span=1d
| eval time=now()
| streamstats count
| eval time=relative_time(time,"-".count."d@d")
| eval value=random() % 50 + 1
| bin span=7d time
| chart sum(value) as count by time
| rename time as _time

Anyway, even if it is not timechart, you can create a time series table.
Isn't it ok to limit _time with where, create a table, and rename it?

0 Karma

andimnf
Explorer

So I got this to do what I wanted using the following search. It's not the prettiest so I'm still wondering if there's a better way.

...| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y")  | eval _time=epoch_logged_time | where _time>now()-7257600 | timechart count span=7d
0 Karma

woodcock
Esteemed Legend

Try my updated answer. It should do exactly what you need as selected by the Time picker.

0 Karma

woodcock
Esteemed Legend

Like this:

index=example sourcetye=examplesource earliest=0 latest=now
| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y")
| eval _time=epoch_logged_time
| addinfo
| where ((_time >= info_min_time) AND (_time=="+Infinity" OR _time<=info_max_time))
| timechart fixedrange=f count span=7d
0 Karma

andimnf
Explorer

Thanks, but I get errors on the +Infinity value. I tried swapping that out for 'now' but it still just displays all time.

woodcock
Esteemed Legend

You also need fixedrange=false. I updated my answer.

0 Karma

andimnf
Explorer

Thanks again. This still isn't taking the input from the timepicker and is just showing all dates.

0 Karma

woodcock
Esteemed Legend

That seems pretty impossible because my answer is a slightly improved version of what you said in your other answer is already working. The addinfo part takes the timepicker's values and trims based on that instead of hard-coded. Are you sure that you are using what I posted?

0 Karma

andimnf
Explorer

Yes, I copied and pasted it from here.

I see now it needs to have the "earliest=0 latest=now" removed for this to work.

Thanks for your help.

0 Karma

andimnf
Explorer

I see now that the timeframe is created before the eval overwrites the _time field.

is there anything I can do here to show specific times?

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...