Can't use a filed for timestamp

Alaza · ‎02-28-2018

Hello,

I have importing a CSV file with the field2 for the timestamp. It's working.
After that I need to create a timechart using the filed1 for the timestamp.
I use this :
|eval _time=strptime(field1, "%d/%m/%Y")
| timechart span=year count(field3)

If I put "all the time" on the timepicker, it works.
But if put "year 2013" on the timepicker the year 2013, the result is the events of the year 2013 based on the index time ( equal to field2) and not the field1.

I don't understand why the timechart is based on the events link to the field1 inside the event link to the field2.

[Version Splunk 6.6.3]

cmerriman · ‎02-28-2018

the time picker uses the indexed time field for filtering. you will need to add a secondary filter for field1 to filter on, such as <base search> field1=*2013|eval _time=strptime(field1, "%d/%m/%Y")| timechart span=year count(field3)

Alaza · ‎02-28-2018

Hi, as I said I already use |eval _time=strptime(field1, "%d/%m/%Y").
Can you be more precise ?

cmerriman · ‎02-28-2018

you need to filter for the keyword 2013 in your base search. you can't use your time picker. you'll still need to eval _time to field1 in order to use that field in timechart but to filter for just 2013, you'll need to add it to the beginning of the search.

index=csv field1=*2013|eval _time=strptime(field1, "%d/%m/%Y")| timechart span=year count(field3)

Alaza · ‎02-28-2018

The use of the time picker was the goal, without it, my search not modulabe.

cmerriman · ‎02-28-2018

try something like this

...
| addinfo 
|eval _time=strptime(field1, "%d/%m/%Y")
| where _time>=info_min_time AND (info_max_time="+Infinity" OR _time<info_max_time) 
| fields - info_min_time info_max_time info_search_time info_sid
| timechart span=year count(field3)

Can't use a filed for timestamp

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life