- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to change _time to some other timestamp field ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to change _time to some other timestamp field for a timechart search?
Hello,
I am trying to use a different timestamp that is NOT _time. My time stamp is Transaction_Date. I tried the below search, but it's not working. I am getting a timechart with Transaction Date, however, when I click the small magnifying glass near the timepicker in the search command, I am getting all results. Can you please help.
index=base search... | eval _time=strptime(Transaction_Date,"%Y-%m-%d %H:%M:%S.%N")
I just want the magnifying glass to pick Transaction_Date timestamp and not _time originally indexed.
You can see I'm changing the Transaction_Date to _time so I can use it in the timechart. The problem is it is not applying the time set in the picker and it's just displaying all the results.
Any Help ASAP would be great help, am struggling to achieve this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The magnifying glass in the search app will only apply to the _time field. However, you have couple of options
1) Create a search dashboard with timerange as input. This will allow you control which field to use for time. For example, if you create a field call time, convert user selection to epoch using <change> event/drilldown for time selection, your query will look something like this index=base_search Transaction_Date>$e$ Transaction_Date<$l$ | rest of your search
2) Reindex data using Transaction_Date as the field for _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Sundaresh
Thank you so much for the reply.
Can you please tell me the search query for the scenario 1. I am trying to use like this. But not getting results,
index=base_search | eval Transdate=strptime(Transaction_Date,"%Y-%m-%d %H:%M:%S.%N")| where Transdate>$earliest$ AND Transdate<$latest$
As you mentioned above how to use the event/drilldown for time selection..
I have just started to work on splunk and this is important to me. Thanks for ur time and help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Create a dashboard with a dropdown and populate the dropdown with values from Transaction_Date field. Something like this. You will need to change the query to match you dataset. This is to give you an idea. This will not work, because the time format is not the same (dropdown vs index)
<form>
<label>Test Timerange</label>
<fieldset submitButton="false">
<input type="dropdown" token="e" searchWhenChanged="true">
<label>Time Earliest</label>
<search>
<query>index=_internal | stats count by _time | fields _time</query>
<earliest>-60m@m</earliest>
<latest>now</latest>
</search>
<fieldForLabel>_time</fieldForLabel>
<fieldForValue>_time</fieldForValue>
</input>
</fieldset>
<row>
<panel>
<table>
<search>
<query>index=_internal | where _time>$e$ | timechart span=1m count by sourcetype</query>
<earliest>-4h@m</earliest>
<latest>now</latest>
</search>
<option name="wrap">undefined</option>
<option name="rowNumbers">undefined</option>
<option name="drilldown">row</option>
</table>
</panel>
</row>
</form>
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
