Solved: Re: create timechart using a string date field

jdepp · ‎08-25-2016

I found a few answers here on this forum on how to use a date string field as the datetime for a timechart. I tried these but could not get it to work.
I want to view counts for the last 7 days based on that date. The datetime field format is the following;

created_date
2016-08-18T13:45:08.000Z

This is the original timechart format

source="/data.newIndex/tcp/10064" timechart count AS Count

but I changed to the one this and still not getting any results I expected.

source="/data.newIndex/tcp/10064"  eval e_field = strptime(created_date, "%Y-%M-dThh:hh:ss.000Z") | eval _time = e_field | timechart count AS Count

Please any advice or assistance appreciated.

Thanks

sundareshr · ‎08-25-2016

Try this

source="/data.newIndex/tcp/10064" | eval e_field = strptime(created_date, "%Y-%m-%dT%H:%M:%S.%3NZ") | eval _time=e_field | timechart count AS Count

*OR*

source="/data.newIndex/tcp/10064" | eval e_field = strptime(created_date, "%Y-%m-%dT%H:%M:%S.%3NZ") | bin e_field | stats count AS Count by e_field

View solution in original post

sundareshr · ‎08-25-2016

Try this

source="/data.newIndex/tcp/10064" | eval e_field = strptime(created_date, "%Y-%m-%dT%H:%M:%S.%3NZ") | eval _time=e_field | timechart count AS Count

*OR*

source="/data.newIndex/tcp/10064" | eval e_field = strptime(created_date, "%Y-%m-%dT%H:%M:%S.%3NZ") | bin e_field | stats count AS Count by e_field

jdepp · ‎08-25-2016

the first one worked. Thanks very much. Appreciate it.

create timechart using a string date field

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!