Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Timespan trouble with timechart

gelica
Communicator
‎08-21-2013 03:35 AM

Hi,

I'm having some issues with timechart.
I'm overriding _time in props.conf, since my timestamp is extracted from source, and this part works fine. In some rare cases the source doesn't contain a timestamp, then I will set it to 1/1/2002 00.00.00.

I run this search:

sourcetype=my_sourcetype os_name=* | timechart count(os_name) by os_name

and it looks correct. However, when I want to limit the timespan to this year only, the 2002-events will still show.
I looked at the date_year field, and it's value is 2013 even in the 2002-events. I wanted to see if this field was the problem so I tried modifying my search like this:

sourcetype=my_sourcetype os_name=* | eval date_year=if(match(file_date,"2002.*"),2002,date_year) | timechart count(os_name) by os_name

but it doesn't change my timechart, the 2002-events are still visible even though my chosen time doesn't include the year 2002.

So, now I wonder what the problem might be?

Thanks

0 Karma
Reply

gelica
Communicator
‎08-21-2013 03:57 AM

This was to long for a comment:

When I look at the timeline in splunk it seems like the _time-field is correct.
I'm extracting a field called file_date from source, then I'm using eval in props.conf to override time(in some cases the timestamp doesn't contain a time):

EVAL-_time=case(match(file_date,"\d{4}(-\d{2}){2}_\d{2}(-\d{2}){2}"),strptime(file_date,"%F_%H-%M-%S"), match(file_date,"\d{4}(-\d{2}){2}"), strptime(file_date,"%F"))

This is what I have in transforms.conf where I extract file_date(and I'm referring to this stanza with TRANSFORM in props.conf and I have modified the field.conf-file as well):

[file_date]
SOURCE_KEY=MetaData:Source
REGEX=.*\w*_(\d{4}(-\d{2}){2}(_\d{2}(-\d{2}){2})?)
FORMAT=file_date::$1
DEFAULT_VALUE=file_date::"2002-01-01_00-00-00"
WRITE_META=true
0 Karma
Reply

kristian_kolb
Ultra Champion
‎08-21-2013 03:51 AM

date_year, and the other date_* fields are extracted from _raw, and will be present in almost all events that contain a recognizable timestamp. Usually, _time will be the same, with adjustments for timezones if relevant.

It seems that your replacement of _time might not be working as you expected, and it's a bit hard to tell without knowing what your configurations and source data looks like.

/K

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...