Solved: create timechart using a string date field

jdepp · ‎08-25-2016

I found a few answers here on this forum on how to use a date string field as the datetime for a timechart. I tried these but could not get it to work.
I want to view counts for the last 7 days based on that date. The datetime field format is the following;

created_date
2016-08-18T13:45:08.000Z

This is the original timechart format

source="/data.newIndex/tcp/10064" timechart count AS Count

but I changed to the one this and still not getting any results I expected.

source="/data.newIndex/tcp/10064"  eval e_field = strptime(created_date, "%Y-%M-dThh:hh:ss.000Z") | eval _time = e_field | timechart count AS Count

Please any advice or assistance appreciated.

Thanks

sundareshr · ‎08-25-2016

Try this

source="/data.newIndex/tcp/10064" | eval e_field = strptime(created_date, "%Y-%m-%dT%H:%M:%S.%3NZ") | eval _time=e_field | timechart count AS Count

*OR*

source="/data.newIndex/tcp/10064" | eval e_field = strptime(created_date, "%Y-%m-%dT%H:%M:%S.%3NZ") | bin e_field | stats count AS Count by e_field

View solution in original post

sundareshr · ‎08-25-2016

Try this

source="/data.newIndex/tcp/10064" | eval e_field = strptime(created_date, "%Y-%m-%dT%H:%M:%S.%3NZ") | eval _time=e_field | timechart count AS Count

*OR*

source="/data.newIndex/tcp/10064" | eval e_field = strptime(created_date, "%Y-%m-%dT%H:%M:%S.%3NZ") | bin e_field | stats count AS Count by e_field

View solution in original post

jdepp · ‎08-25-2016

the first one worked. Thanks very much. Appreciate it.

create timechart using a string date field

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.Find out what your skills are worth! Read the report >

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!

Read the report >