I have data similiar to the following - this is just a subset as the full data file contains 4 days worth of data. The data was imported as a one shot deal all at once.
2018/1/3/12/34/10 2 1 6.00
2018/1/3/12/35/10 2 1 6.00
2018/1/3/12/36/10 2 1 6.00
2018/1/3/12/37/10 3 1 7.00
2018/1/3/12/38/10 3 1 7.00
2018/1/3/12/39/10 2 1 6.00
2018/1/3/12/40/10 3 1 7.00
To graph the data, we use the following command.
source="/tmp/getsysgfiles/server_cpu.g" | rex "(?\d+\/\d+\/\d+\/\d+\/\d+\/\d+) (?\d+) (?\d+)" | eval _time=strptime(Time,"%Y/%m/%d/%H/%M") | timechart sum(two) span=1m
The problem is that the graph shows all data. For instance, is there a way to modify the command to only show entries from the past 24 hours? If I use the time picker or the "earliest" command, it seems to be using the import time of the data, not the timestamp we converted in strptime.
source="/tmp/getsysgfiles/server_cpu.g" | eval _time=strptime(Time,"%Y/%m/%d/%H/%M") | addinfo | where _time>=info_min_time and _time<info_max_time | timechart sum(two) span=1m
I removed your rex
command, as it didn't seem to be extracting a field anyway.
But, really, you should work at getting the timestamp correct at index time. Is there a reason the timestamp you want to use here differs from the event time Splunk has for the event?