Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I get a time curve with field values?

WXY
Path Finder
‎09-18-2018 06:33 PM

Hello.

Now, I must get a time curve using a field value .

My data has these fields:_time,CreateDate

There is a data : 2018-09-18 20:30:04 , CreateDate="2018-09-18 01:04:19.95", EndDate="2018-09-18 09:16:47.813"

"2018-09-18 20:30:04 " is _time,

"2018-09-18 01:04:19.95" is CreateDate,

I want to get a time curve using the CreateDate field.

What should I do ?

Tags (3)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎09-19-2018 06:55 AM

Hi WXY,
if you want to span events every hour, try something like this:

your_search
| eval CreateDate=strptime(CreateDate,"%Y-%m-%d %H:%M:%S.%N")
| bin span=1h CreateDate
| stats count BY CreateDate
| eval CreateDate=strftime(CreateDate,"%Y-%m-%d %H:%M:%S.%N")

Bye.
Giuseppe

0 Karma
Reply

renjith_nair
Legend
‎09-19-2018 05:43 AM

@WXY,

Try

"your search" |eval _time=strptime(CreateDate,"%Y-%m-%d %H:%M:%S.%N") |timechart "field you want to chart"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...