If eventStartTime appears in the data, you can use props.conf to use that field as the timestamp at parsing time.
Check out the documentation: Configure timestamp recognition
If eventStartTime appears in the data, you can use props.conf to use that field as the timestamp at parsing time.
Check out the documentation: Configure timestamp recognition
Please note that this is index-time configuration/activity and will only be applicable for any future data that you ingest after you make the changes. Already existing data would not get affected.
Perfect. Is there a way, by any chance, to do it on the fly, meaning at search time?
You can change the _time to have values from field eventStartTime , at search time like this, but note that the time range will still apply from the older value of _time.
your base search | eval _time=strptime(eventStartTime,"%Y-%m-%d %H:%M:%S.%N")
Is there no way to have the timepicker (including ranges) work when assigning _time to custom a field?
Gorgeous !!!!