Solved: Re: How to create a timechart based on index time?

DEAD_BEEF · ‎08-27-2018

I'm trying to create a timechart to show when logs were ingested. Trying to use _indextime but it doesn't seem to be working. What am I missing on my SPL?

Current query

index=web
| eval _time=strptime(_indextime, "%d-%b-%y %H:%M:%S") 
| timechart span=1h count by index

FrankVl · ‎08-27-2018

You shouldn't be putting a formatted string timestamp into _time. Splunk expects an epoch timestamp there (even though it usually presents _time automatically as a human readable string). So just try eval _time = _indextime.

View solution in original post

DalJeanis · ‎08-27-2018

_indextime is already in epoch. No conversion is needed.

 | eval  _time = _indextime

skoelpin · ‎08-27-2018

Try strftime instead

index=web
 | eval indextime=strftime(_indextime, "%d-%b-%y %H:%M:%S") 
 | timechart span=1h max(indextime) by index

If you wanted to identify indexing lag, you can do this

    index=web
   | eval indextime=strftime(_indextime, "%s") 
   | eval diff=indextime-_time
   | timechart span=1h max(diff) AS diff

FrankVl · ‎08-27-2018

You shouldn't be putting a formatted string timestamp into _time. Splunk expects an epoch timestamp there (even though it usually presents _time automatically as a human readable string). So just try eval _time = _indextime.

How to create a timechart based on index time?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases