Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Timechart - Use with other time values in event not _time

robwheeler
Engager
‎06-22-2017 05:07 AM

I currently have a feed that indexes fine, however within the message there are various other timestamps that I'd like to use to create visualizations etc. How can I use these to for the visualization and ignore the _time value?

LAST_SCAN_DATETIME is the field picked for _time, which is the best fit indexing.

Other fields are below that I want to use in search/visualizations -

FIRST_FOUND_DATETIME
LAST_FOUND_DATETIME
LAST_TEST_DATETIME
LAST_UPDATE_DATETIME

all appear in this format:

2017-05-23T12:20:33Z

YYYY-MM-DDTHH:MM:SSZ

Regards

Rob

0 Karma
Reply

niketn
Legend
‎06-22-2017 06:58 AM

@robwheeler You would need to convert your String Time to epoch time using strptime first and then override _time with your epoch time prior to the timechart command.

Following is run-anywhere search for testing String Time to Epoch Time conversion

| makeresults
| eval FIRST_FOUND_DATETIME="2017-05-23T12:20:33Z"
| eval FIRST_FOUND_DATETIME=strptime(FIRST_FOUND_DATETIME,"%Y-%m-%dT%H:%M:%SZ")
| fieldformat FIRST_FOUND_DATETIME=strftime(FIRST_FOUND_DATETIME,"%Y-%m-%dT%H:%M:%SZ")

PS: Fieldformat changes display value (string time) while retaining underlying data (epoch time).

Following is the search you would need to plot timechart specific to your Time fields

<YourBaseSearch>
| eval FIRST_FOUND_DATETIME="2017-05-23T12:20:33Z"
| eval _time = FIRST_FOUND_DATETIME
| <Your Timechart command>
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...