Can I use the bucket command to group fields by time/date when extracted against a field other than _time?
I have a field called pub date in this format; 2017-10-04 09:00:27
and was hoping the following would group the events into buckets of 6 hours;
index=* | bucket pubdate span=6h | stats count by pub date
Dosent seem to work, just lists all the individual events.
↧