- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Timespan trouble with timechart
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Timespan trouble with timechart
Hi,
I'm having some issues with timechart.
I'm overriding _time in props.conf, since my timestamp is extracted from source, and this part works fine. In some rare cases the source doesn't contain a timestamp, then I will set it to 1/1/2002 00.00.00.
I run this search:
sourcetype=my_sourcetype os_name=* | timechart count(os_name) by os_name
and it looks correct. However, when I want to limit the timespan to this year only, the 2002-events will still show.
I looked at the date_year field, and it's value is 2013 even in the 2002-events. I wanted to see if this field was the problem so I tried modifying my search like this:
sourcetype=my_sourcetype os_name=* | eval date_year=if(match(file_date,"2002.*"),2002,date_year) | timechart count(os_name) by os_name
but it doesn't change my timechart, the 2002-events are still visible even though my chosen time doesn't include the year 2002.
So, now I wonder what the problem might be?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This was to long for a comment:
When I look at the timeline in splunk it seems like the _time-field is correct.
I'm extracting a field called file_date from source, then I'm using eval in props.conf to override time(in some cases the timestamp doesn't contain a time):
EVAL-_time=case(match(file_date,"\d{4}(-\d{2}){2}_\d{2}(-\d{2}){2}"),strptime(file_date,"%F_%H-%M-%S"), match(file_date,"\d{4}(-\d{2}){2}"), strptime(file_date,"%F"))
This is what I have in transforms.conf where I extract file_date(and I'm referring to this stanza with TRANSFORM in props.conf and I have modified the field.conf-file as well):
[file_date]
SOURCE_KEY=MetaData:Source
REGEX=.*\w*_(\d{4}(-\d{2}){2}(_\d{2}(-\d{2}){2})?)
FORMAT=file_date::$1
DEFAULT_VALUE=file_date::"2002-01-01_00-00-00"
WRITE_META=true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
date_year, and the other date_* fields are extracted from _raw, and will be present in almost all events that contain a recognizable timestamp. Usually, _time will be the same, with adjustments for timezones if relevant.
It seems that your replacement of _time might not be working as you expected, and it's a bit hard to tell without knowing what your configurations and source data looks like.
/K
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
