Solved: Re: Timechart x-axis customized time

abhi144 · ‎04-08-2014

I am getting date from my device in search date field like date=20140408045219. So i wanted to show the time chart according to date field in x-axis not _time. Any suggestion will be helpful?

martin_mueller · ‎04-08-2014

You might be able to do something like this:

base search | eval _time = strptime(date, "%Y%m%d%H%M%S") | timechart ...

However, do consider if it makes sense to use that date field as the actual _time value when indexing future data.

View solution in original post

HMTODD · ‎11-03-2016

You may want to try the chart command. "Unlike the timechart command which generates a chart with the _time field as the x-axis, the chart command produces a table with an arbitrary field as the x-axis."

abhi144 · ‎04-08-2014

Thanks for your suggestion martin. But it still taking _time on x-axis its not taking my time which is coming through eval _time = strptime(date, "%Y%m%d%H%M%S").

martin_mueller · ‎04-08-2014

You might be able to do something like this:

base search | eval _time = strptime(date, "%Y%m%d%H%M%S") | timechart ...

However, do consider if it makes sense to use that date field as the actual _time value when indexing future data.

martin_mueller · ‎04-08-2014

When I run this over here:

index=_internal | head 1 | eval date="20140408045219" | eval _time = strptime(date, "%Y%m%d%H%M%S") | timechart count

I get a blip at 4:52AM rather than now (3:50PM).

It's still using the field called _time, but with the value you've changed it to.

Timechart x-axis customized time

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?