Solved: Re: Using CSV field as time

bvan · ‎07-13-2020

I have a CSV file with a column labeled published. Timestamp values in that field are listed like so:

2020-07-01T01:17:02.649Z

I'm trying to use the "published" column as _time for some dashboarding and I'm using:

| inputlookup file.csv | eval _time=strptime("published","%Y-%m-%dT%H:%M:%S.%N")

However, when I run a time chart search it doesn't return any data. Is my eval command formatted correctly or is there something else I'm missing?

richgalloway · ‎07-13-2020

Try this eval.

| eval _time=strptime(published,"%Y-%m-%dT%H:%M:%S.%3N%Z")

It may not help. If not, please share the full search so we can see what else may be off.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎07-13-2020

Try this eval.

| eval _time=strptime(published,"%Y-%m-%dT%H:%M:%S.%3N%Z")

It may not help. If not, please share the full search so we can see what else may be off.

---
If this reply helps you, Karma would be appreciated.

bvan · ‎07-13-2020

Yup! That was it! Thanks so much!

Using CSV field as time