Hi,
In my query, the time stamp is created from the event content.
| rex "(?\d+\/\d+\/\d+\/\d+\/\d+\/\d+) (?\d*\.\d+|[[int]]) (?\d*\.\d+|[[int]])"
| eval _time=strptime(Time,"%Y/%m/%d/%H/%M/%S")
| chart somevalues by _time
Graph works well. but when I try to use Splunk time picker, last x hours does not return last x hours events.
it returns events from days ago.
Anyone knows what happened here? Thanks in advance!
EG:
event content: 2018/1/30/12/0/30 0.1 2.1
_time: 2018-01-30T12:00:30.000-05:00
... View more