Hi Lamar,

You are right, this option require a numeric value.

That’s the reason to use strptime that convert our human readable time string to an epoch time

Example:

adate = 2012-06-26 00:00:00.000
Initialtime = 1340661600.000000 (numeric)

Additionaly, I tried to forze this Initialtime field to numeric format with | convert num(Initialtime) as InitialtimeNum but the query always return:

Error in 'bin' command: The value for option start (InitialTime) is invalid.

Note: Splunk indicates that Convert command is mostly deprecated.

Thanks,

Hi Borja!

Did you ever find an answer to this? I'm struggling with the same issue. Using the value of an eval field inside a command.

That's not an integer though. There are integers in that string you're creating, it might look something like this:

2012-10-10 10:10:10.100

What you want to feed it is an integer. try using:

| convert ctime (ADate) as Initialtime ...

That will be the epoch conversion of that date-time, which will be an integer that the start keyword is expecting. And if it's already epoch, just pass it over to start.

Hi Lamar,

In this case, I am using another date field converter by strptime where it is assumed that the output is an integer

| eval Initialtime = strptime(ADate,"%Y-%m-%d %H:%M:%S.%l") | bin DemoTime span=7d start=Initialtime as weeks

Thanks,