Timechart - Use with other time values in event no...

robwheeler · ‎06-22-2017

I currently have a feed that indexes fine, however within the message there are various other timestamps that I'd like to use to create visualizations etc. How can I use these to for the visualization and ignore the _time value?

LAST_SCAN_DATETIME is the field picked for _time, which is the best fit indexing.

Other fields are below that I want to use in search/visualizations -

FIRST_FOUND_DATETIME
LAST_FOUND_DATETIME
LAST_TEST_DATETIME
LAST_UPDATE_DATETIME

all appear in this format:

2017-05-23T12:20:33Z

YYYY-MM-DDTHH:MM:SSZ

Regards

Rob

niketn · ‎06-22-2017

@robwheeler You would need to convert your String Time to epoch time using strptime first and then override _time with your epoch time prior to the timechart command.

Following is run-anywhere search for testing String Time to Epoch Time conversion

| makeresults
| eval FIRST_FOUND_DATETIME="2017-05-23T12:20:33Z"
| eval FIRST_FOUND_DATETIME=strptime(FIRST_FOUND_DATETIME,"%Y-%m-%dT%H:%M:%SZ")
| fieldformat FIRST_FOUND_DATETIME=strftime(FIRST_FOUND_DATETIME,"%Y-%m-%dT%H:%M:%SZ")

PS: Fieldformat changes display value (string time) while retaining underlying data (epoch time).

Following is the search you would need to plot timechart specific to your Time fields

<YourBaseSearch>
| eval FIRST_FOUND_DATETIME="2017-05-23T12:20:33Z"
| eval _time = FIRST_FOUND_DATETIME
| <Your Timechart command>

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

Timechart - Use with other time values in event not _time

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?

Timechart - Use with other time values in event not _time

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability