I am plotting a timechart based on a datetime field (timestamp) in the event. The search query looks like:
* "logname=customlog"
| fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message
| spath input=Message output=EventMessage path=Message
| spath input=Message output=event_id path=event_id
| spath input=Message output=timestamp path=timestamp
| eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S")
| eval _time=NewTime
| addinfo
| where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity")
| timechart count by event_id
Events in my data are between Feb'2011 and Mar'2011. This works fine for "All Time" but when I set time range between anything less than the time when I posted the data I get no results. Seems like _time is not getting overridden by the search query as intended.
Can you someone please help?
↧
