I am trying to extract a field containing the date an event actually happened rather than the _time field because the data is coming from a csv and being entered much later. I want to use this new _time value to limit the search to a window of time that will later be defined by tokens given from a drop down box in the dashboard.
The base search I am using returns the field data in _time correctly.
index=test_index sourcetype=recipients OR sourcetype=opened
| eval _time=strptime(eventDate, "%m/%d/%Y")
| table _time
However, once relative time is added to the equation I get error: "No matching fields exist [] Some events were removed by Timeliner because they were missing _time." In addition to this the fields are merely put in descending order from the most recent time rather than being limited to the relative time range. Is there another way to do this?
index=test_index sourcetype=recipients OR sourcetype=opened
| eval _time=strptime(eventDate, "%m/%d/%Y")
| stats values(_time)
| where _time>=relative_time(now(),"-1m") AND _time<=now()
| table _time
... View more