Solved: Re: Field '_time' should have numerical values

Jamietriplet

Hi all,

I am new to splunk, and i have got the following error:

"Field '_time' should have numerical values" when I try to run a timechart command.

I have got a csv file 'try.csv', which I read in some fields to display, but when I initiate a timechart command I get the above error.

The csv file 'try.csv' has a column named _time, which has an ISO8601 time

I would appreciate any guide or help I can get, as I am relatively new to splunk

Thanks

dataisbeautiful

Hi @Jamietriplet

Sounds like _time is being read as a string not as epochtime, try this

| eval _time = strptime(_time, "%Y-%m-%dT%H:%M:%S.%N")

View solution in original post

dataisbeautiful

Hi @Jamietriplet

Sounds like _time is being read as a string not as epochtime, try this

| eval _time = strptime(_time, "%Y-%m-%dT%H:%M:%S.%N")

Jamietriplet

Hi, dataisbeautiful , this worked. Thanks

gcusello

Hi @Jamietriplet,

to use timechart you must use the -time field that's in epochtime format.

If in your csv you have the _time field in a different format, you have to convert in epochtime (using strptime function in eval command) before the timechart command:

Ciao.

Giuseppe

Jamietriplet

Thanks @gcusello

gcusello

Ciao @Jamietriplet ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Field '_time' should have numerical values

timechart

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!