How to add _time as an attribute in a base search ...

deanilol · ‎03-02-2015

So I'd like to add the _time attribute to a base search object. As I understand it, I can't use the linear pivot diagram if I don't have _time on the x axis. Now what I want to do is to set _time=(another attribute) so that I can use the linear pivot diagram and choose my own attribute on the x-axis. My problem is that I can't find a way to add the _time as an attribute in the object.

Is there a way to do this without using root Event?

If not, how would I do the same thing using eval expressions in a root event object.

thanks!!

jmallorquin · ‎04-09-2015

Hi,

Have you try the command addinfo?

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Addinfo

Regards,

vganjare · ‎04-09-2015

Hi,

You can use eval to copy the _time value. Something like :

... | eval customTime = _time | ....

Thanks!!

How to add _time as an attribute in a base search object?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor