I'm trying to create a timechart to show when logs were ingested. Trying to use _indextime but it doesn't seem to be working. What am I missing on my SPL?
Current query
index=web
| eval _time=strptime(_indextime, "%d-%b-%y %H:%M:%S")
| timechart span=1h count by index
↧
