Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

assign filed value to _time

surekhasplunk
Communicator
‎10-01-2016 12:08 AM

index=level3 host=Test | eval _time=strptime("Opened D","%m/%d/%Y") |table _time "Opened D"

index=level3 host=Test | table "Opened D" _time

How to get Opened D time value into _time field so that I can use timechart command and use span to get proper visualization.
I tried using below query but no luck.

index=level3 host=Test | eval _time=strptime("Opened D","%m/%d/%Y") |table _time "Opened D

Tags (2)
Preview file
1 KB
0 Karma
Reply

jitendragupta
Path Finder
‎01-16-2018 05:40 AM

I also have same kind of question, I want to insert data from kv store to index with _time same as fromdate column in my kv store.
I am able to insert data normally i.e without | eval _time = fromdate .
But when I using this eval, clause I am getting error.

0 Karma
Reply

sundareshr
Legend
‎10-01-2016 11:32 AM

For all new data, you should consider indexing Open D as your time field. But for existing field you could use "Open D" like this

index=level3 host=Test | eval OpenD=strptime("Opened D", "%-m/%-d/%Y") | bin OpenD | stats count by OpenD
0 Karma
Reply

maciep
Champion
‎10-01-2016 05:28 AM

What is the question here? Are you trying to troubleshoot the error message or do you really just want to eval a field to _time?

0 Karma
Reply

surekhasplunk
Communicator
‎10-01-2016 06:02 AM

The question here is I want _time to be same as Opened D time then only I can use timechart command else timechart command isn't working as expected as it is taking the date the file is uploaded and not Opened D date.
How can I convert Opened D date to _time field.

0 Karma
Reply

maciep
Champion
‎10-01-2016 06:32 AM

I see, so something like this maybe?

index=level3 host=Test | eval _time = 'Opened D' | timechart count

Also, if Opened D is in the source data, do you also want to use that as the timestamp of the event when you index the data? That way it will already be the same as _time and you won't have to do any evals.

0 Karma
Reply

surekhasplunk
Communicator
‎10-02-2016 11:21 PM

yes I want to index the filed Openend D of the file so that this filed's time will come in _time but somehow it isn't working don't know why.please help me with this if you can.

But when I tried using the query you provided am getting value in _time=NaN/NaN/aN
NaN:NaN:NaN.000 AM
It isn't getting evaluated properly

index=level3 host=Test | eval _time = 'Opened D'


NaN/NaN/aN
NaN:NaN:NaN.000 AM

TASK0157512,4 - Low,Work in Progress,Global - Service Assurance - Tier 2/3,kandukuri.saianusha,Catalog Task,9/27/2016,,9/27/2016,09/27,01/00,2,< 3 Days,0,2,< 3 Days,

host = Test

source = Level3_Daily_Report_26.csv

sourcetype = csv

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...