Hi,
I need to perform a timechart count for a particular field. The dates in the field aren't related to the timestamp the log was received and can go back to dates a few years ago, and so I overwrite the _time and convert the field to epoch. This works well and the figures in the graph are accurate. However if I try and select the timeframe for 'last 7 days' or 'last 30 days' for example the timechart still shows all entries including those going back to 2017.
index=example sourcetye=examplesource| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y") | eval _time=epoch_logged_time | timechart count span=7d
What's going on here?
TIA
Like this:
index=example sourcetye=examplesource earliest=0 latest=now
| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y")
| eval _time=epoch_logged_time
| addinfo
| where ((_time >= info_min_time) AND (_time=="+Infinity" OR _time<=info_max_time))
| timechart fixedrange=f count span=7d
| makeresults count=2
| streamstats count
| eval _time = if (count==2,relative_time(_time,"-2y@d"), relative_time(_time,"@d"))
| makecontinuous span=1d
| eval time=now()
| streamstats count
| eval time=relative_time(time,"-".count."d@d")
| eval value=random() % 50 + 1
| bin span=7d time
| chart sum(value) as count by time
| rename time as _time
Anyway, even if it is not timechart
, you can create a time series table.
Isn't it ok to limit _time with where
, create a table, and rename it?
So I got this to do what I wanted using the following search. It's not the prettiest so I'm still wondering if there's a better way.
...| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y") | eval _time=epoch_logged_time | where _time>now()-7257600 | timechart count span=7d
Try my updated answer. It should do exactly what you need as selected by the Time picker
.
Like this:
index=example sourcetye=examplesource earliest=0 latest=now
| eval epoch_logged_time=strptime('Date Logged',"%d/%m/%Y")
| eval _time=epoch_logged_time
| addinfo
| where ((_time >= info_min_time) AND (_time=="+Infinity" OR _time<=info_max_time))
| timechart fixedrange=f count span=7d
Thanks, but I get errors on the +Infinity value. I tried swapping that out for 'now' but it still just displays all time.
You also need fixedrange=false
. I updated my answer.
Thanks again. This still isn't taking the input from the timepicker and is just showing all dates.
That seems pretty impossible because my answer is a slightly improved version of what you said in your other answer is already working. The addinfo
part takes the timepicker's values and trims based on that instead of hard-coded. Are you sure that you are using what I posted?
Yes, I copied and pasted it from here.
I see now it needs to have the "earliest=0 latest=now" removed for this to work.
Thanks for your help.
I see now that the timeframe is created before the eval overwrites the _time field.
is there anything I can do here to show specific times?