Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

assign filed value to _time

surekhasplunk
Communicator
‎10-01-2016 12:08 AM

index=level3 host=Test | eval _time=strptime("Opened D","%m/%d/%Y") |table _time "Opened D"

index=level3 host=Test | table "Opened D" _time

How to get Opened D time value into _time field so that I can use timechart command and use span to get proper visualization.
I tried using below query but no luck.

index=level3 host=Test | eval _time=strptime("Opened D","%m/%d/%Y") |table _time "Opened D

Tags (2)
Preview file
23 KB
0 Karma
Reply

jitendragupta
Path Finder
‎01-16-2018 05:40 AM

I also have same kind of question, I want to insert data from kv store to index with _time same as fromdate column in my kv store.
I am able to insert data normally i.e without | eval _time = fromdate .
But when I using this eval, clause I am getting error.

0 Karma
Reply

sundareshr
Legend
‎10-01-2016 11:32 AM

For all new data, you should consider indexing Open D as your time field. But for existing field you could use "Open D" like this

index=level3 host=Test | eval OpenD=strptime("Opened D", "%-m/%-d/%Y") | bin OpenD | stats count by OpenD
0 Karma
Reply

maciep
Champion
‎10-01-2016 05:28 AM

What is the question here? Are you trying to troubleshoot the error message or do you really just want to eval a field to _time?

0 Karma
Reply

surekhasplunk
Communicator
‎10-01-2016 06:02 AM

The question here is I want _time to be same as Opened D time then only I can use timechart command else timechart command isn't working as expected as it is taking the date the file is uploaded and not Opened D date.
How can I convert Opened D date to _time field.

0 Karma
Reply

maciep
Champion
‎10-01-2016 06:32 AM

I see, so something like this maybe?

index=level3 host=Test | eval _time = 'Opened D' | timechart count

Also, if Opened D is in the source data, do you also want to use that as the timestamp of the event when you index the data? That way it will already be the same as _time and you won't have to do any evals.

0 Karma
Reply

surekhasplunk
Communicator
‎10-02-2016 11:21 PM

yes I want to index the filed Openend D of the file so that this filed's time will come in _time but somehow it isn't working don't know why.please help me with this if you can.

But when I tried using the query you provided am getting value in _time=NaN/NaN/aN
NaN:NaN:NaN.000 AM
It isn't getting evaluated properly

index=level3 host=Test | eval _time = 'Opened D'


NaN/NaN/aN
NaN:NaN:NaN.000 AM

TASK0157512,4 - Low,Work in Progress,Global - Service Assurance - Tier 2/3,kandukuri.saianusha,Catalog Task,9/27/2016,,9/27/2016,09/27,01/00,2,< 3 Days,0,2,< 3 Days,

host = Test

source = Level3_Daily_Report_26.csv

sourcetype = csv

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...