I have the following query that shows me that date/time is getting parsed correctly and is now displaying and a regular Splunk time:
client
| table date, hour, _time, epochtime, correct_timestamp, rate
| eval correct_timestamp = date + " " + hour + ":00:00" | eval epochtime=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| eval _time=strftime(epochtime, "%Y-%m-%d %H:%M:%S %p")
When I try to use the following query to create a timechart with an hourly average of the rate, I get no visualizations. I can easily create a timechart of rate that happens by day. Why can I not get this down to the hour?
client
| eval correct_timestamp = date + " " + hour + ":00:00" | eval epochtime=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| eval _time=strftime(epochtime, "%Y-%m-%d %H:%M:%S %p")
|timechart avg(rate) span=1h
@jamesandy51,
Try using the epoch time in timechart before you convert it to a string using strftime.
i.e.
client
| eval correct_timestamp = date + " " + hour + ":00:00"
| eval _time=strptime(correct_timestamp,"%Y-%m-%d %H:%M:%S")
| timechart avg(rate) span=1h
This still does not work. It looks like after I run the |timechart command, it reverts _time to the original value before the eval.
Any other ideas?
Your search is slightly incorrect - you're assigning an actual integer to epochtime using strptime, and then using strftime to format/assign it to _time. The field _time should have the epoch value, not the formatted value. This is causing timechart to be confused.
You're on the right track, and Renjith's answer is a correct one.
Got it, I have it working now. Thank you both for the help!!
@jamesandy51, if it worked for you, please accept as answer. Thanks