Splunk is picking up a csv file that looks like this:
SP A,03/27/11 13:10:00,10,4,5,6
SP A,03/27/11 13:20:00,4,4,2,0
SP A,03/27/11 13:30:00,1,1,5,4
...
SP B,03/27/11 13:10:00,15,2,3,6
SP B,03/27/11 13:20:00,1,8,5,0
SP B,03/27/11 13:30:00,2,2,3,4
My assumption was that I would be able to do this:
| stats sum(column3) as total_column3 by _time |timechart avg(total_column3)
and end up with 25,5,3. But splunk is adding milliseconds to _time resulting in unique times/events:
3/27/11 1:10:00.400 PM SP A,03/27/11 13:10:00,10,4,5,6
...
3/27/11 1:10:00.247 PM SP B,03/27/11 13:10:00,15,2,3,6
I could use the date stamp column from the csv:
| stats sum(column3) as total_column3 by column2 |chart avg(total_column3) by column2
but I want to be able to use timechart and adjust span so I don't always have to use 10 minute intervals.
Should I be importing the data differently or is there a way around this?
... View more