Hello
I have events similar to:
2014-07-16 9:40:20 msg="hello" time="2014-07-16 9:40:20"
2014-07-16 10:45:20 msg="world" time="2014-07-16 03:45:20"
The first timestamp is used for indexing (which is OK for most of the cases) but I would like to use the content of the field time
to build a specific timechart. How can I instruct splunk to do so?
Thank you!
Splunk uses the _time field for timecharting. You can eval the value of _time to another value and timechart by it.
Try this if your time field is indexed as a string:
Fixing type with this query. Current version would cause search to fail
... your base search ... | eval NewTime=strptime(time,"%Y-%m-%d %H:%M:%S") | eval _time=NewTime | timechart count
Or this if your time field is indexed as a timestamp:
... your base search ... | eval _time=time | timechart count
Try this
your base search | eval _time=strptime(time,"%Y-%m-%d %H:%M:%S") | timechart .....
Splunk uses the _time field for timecharting. You can eval the value of _time to another value and timechart by it.
Try this if your time field is indexed as a string:
Fixing type with this query. Current version would cause search to fail
... your base search ... | eval NewTime=strptime(time,"%Y-%m-%d %H:%M:%S") | eval _time=NewTime | timechart count
Or this if your time field is indexed as a timestamp:
... your base search ... | eval _time=time | timechart count
Thanks. Shouldn't the first search be without eval _time=NewTime
?