Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

assign filed value to _time

surekhasplunk
Communicator
‎10-01-2016 12:08 AM

index=level3 host=Test | eval _time=strptime("Opened D","%m/%d/%Y") |table _time "Opened D"

index=level3 host=Test | table "Opened D" _time

How to get Opened D time value into _time field so that I can use timechart command and use span to get proper visualization.
I tried using below query but no luck.

index=level3 host=Test | eval _time=strptime("Opened D","%m/%d/%Y") |table _time "Opened D

Tags (2)
Preview file
1 KB
0 Karma
Reply

jitendragupta
Path Finder
‎01-16-2018 05:40 AM

I also have same kind of question, I want to insert data from kv store to index with _time same as fromdate column in my kv store.
I am able to insert data normally i.e without | eval _time = fromdate .
But when I using this eval, clause I am getting error.

0 Karma
Reply

sundareshr
Legend
‎10-01-2016 11:32 AM

For all new data, you should consider indexing Open D as your time field. But for existing field you could use "Open D" like this

index=level3 host=Test | eval OpenD=strptime("Opened D", "%-m/%-d/%Y") | bin OpenD | stats count by OpenD
0 Karma
Reply

maciep
Champion
‎10-01-2016 05:28 AM

What is the question here? Are you trying to troubleshoot the error message or do you really just want to eval a field to _time?

0 Karma
Reply

surekhasplunk
Communicator
‎10-01-2016 06:02 AM

The question here is I want _time to be same as Opened D time then only I can use timechart command else timechart command isn't working as expected as it is taking the date the file is uploaded and not Opened D date.
How can I convert Opened D date to _time field.

0 Karma
Reply

maciep
Champion
‎10-01-2016 06:32 AM

I see, so something like this maybe?

index=level3 host=Test | eval _time = 'Opened D' | timechart count

Also, if Opened D is in the source data, do you also want to use that as the timestamp of the event when you index the data? That way it will already be the same as _time and you won't have to do any evals.

0 Karma
Reply

surekhasplunk
Communicator
‎10-02-2016 11:21 PM

yes I want to index the filed Openend D of the file so that this filed's time will come in _time but somehow it isn't working don't know why.please help me with this if you can.

But when I tried using the query you provided am getting value in _time=NaN/NaN/aN
NaN:NaN:NaN.000 AM
It isn't getting evaluated properly

index=level3 host=Test | eval _time = 'Opened D'


NaN/NaN/aN
NaN:NaN:NaN.000 AM

TASK0157512,4 - Low,Work in Progress,Global - Service Assurance - Tier 2/3,kandukuri.saianusha,Catalog Task,9/27/2016,,9/27/2016,09/27,01/00,2,< 3 Days,0,2,< 3 Days,

host = Test

source = Level3_Daily_Report_26.csv

sourcetype = csv

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...