I am running a search against JSON data, and I am able to get the field I am interested in. Now, I am trying to set that field as a timestamp for charts, but it is not working.
index=idx-index-name "fields.created"="*"
| eval _time=strptime("fields.created","%Y-%m-%dT%H:%M:%SZ")
| timechart span=1d count
Value of field - "fields.created" - 2019-01-09T10:51:34.000-0500
If I remove the second line and run the command, all the events are in index time ( today ), but the records are from the last 1 month.
Can someone help me find what i am missing?
Hi @premraj_vs
Give this a try:
index=idx-index-name "fields.created"="*"
| eval _time=strptime('fields.created',"%Y-%m-%dT%H:%M:%SZ")
| timechart span=1d count
Sometimes you need to use single quotes when referring to field names that have strange characters in them.
All the best
Hi @premraj_vs
Give this a try:
index=idx-index-name "fields.created"="*"
| eval _time=strptime('fields.created',"%Y-%m-%dT%H:%M:%SZ")
| timechart span=1d count
Sometimes you need to use single quotes when referring to field names that have strange characters in them.
All the best
It worked .. Thanks for the help
OK Looks like your strptime format is wrong. Try this one instead: %Y-%m-%dT%H:%M:%S.%3Q%z
yes i made this change