Hi,
I'm using JSON extract on my rows. I want to use the value that is contained in "message.time" instead of _time to timechart against.
This field is a UNIX epoch timestamp, for example 1525847317
I am trying this:
sourcetype="my_source_type"
| eval _time=message.time
| dedup message.userId
| timechart span=1month count
Somebody else has said elsewhere on the forums that internally _time is an epoch value and it's just converted in the display to a string like 2018-05-09T13:33:57.000+03:00
I have also tried | eval _time=strftime(message.time, '%Ez') and also the strptime function, just in case.
Whatever I try the _time variable is cut out of the event (when I expand the event row) and my statistics table never contains any data.
How can I use the epoch timestamp value to timechart against?
EDIT:
This query shows three rows, _time formatted like 2018-05-09 14:06:56 and timetest / message_time both formatted as Unix epoch timestamps.
sourcetype="my_source_type"
| eval timetest=_time
| dedup message.userId
| table _time, timetest, message.time
This query has blank (empty) columns for _time and timetest :
sourcetype="my_source_type"
| eval _time=message.time
| eval timetest=_time
| dedup message.userId
| table _time, timetest, message.time
This query has a blank column for timetest , but _time is populated.... maybe there is a problem with field extraction? The documentation http://docs.splunk.com/Documentation/SplunkCloud/7.0.0/Knowledge/Addanevalexpressionattribute says that you can use an auto-extracted field to eval with.
sourcetype="my_source_type"
| eval timetest=message.time
| dedup message.userId
| table _time, timetest, message.time
... View more