Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart - Use with other time values in event not _time

robwheeler
Engager
‎06-22-2017 05:07 AM

I currently have a feed that indexes fine, however within the message there are various other timestamps that I'd like to use to create visualizations etc. How can I use these to for the visualization and ignore the _time value?

LAST_SCAN_DATETIME is the field picked for _time, which is the best fit indexing.

Other fields are below that I want to use in search/visualizations -

FIRST_FOUND_DATETIME
LAST_FOUND_DATETIME
LAST_TEST_DATETIME
LAST_UPDATE_DATETIME

all appear in this format:

2017-05-23T12:20:33Z

YYYY-MM-DDTHH:MM:SSZ

Regards

Rob

0 Karma
Reply

niketn
Legend
‎06-22-2017 06:58 AM

@robwheeler You would need to convert your String Time to epoch time using strptime first and then override _time with your epoch time prior to the timechart command.

Following is run-anywhere search for testing String Time to Epoch Time conversion

| makeresults
| eval FIRST_FOUND_DATETIME="2017-05-23T12:20:33Z"
| eval FIRST_FOUND_DATETIME=strptime(FIRST_FOUND_DATETIME,"%Y-%m-%dT%H:%M:%SZ")
| fieldformat FIRST_FOUND_DATETIME=strftime(FIRST_FOUND_DATETIME,"%Y-%m-%dT%H:%M:%SZ")

PS: Fieldformat changes display value (string time) while retaining underlying data (epoch time).

Following is the search you would need to plot timechart specific to your Time fields

<YourBaseSearch>
| eval FIRST_FOUND_DATETIME="2017-05-23T12:20:33Z"
| eval _time = FIRST_FOUND_DATETIME
| <Your Timechart command>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...