how to timeslice by a parsed timestamp field

Follow

Heng Zhang

• May 30, 2020 04:04

in my query i have a parsed timestamp which is the actual event time of this record.

it is specific to the application but not a _recieveTime or _messageTime that is specific to log

i want to timeslice by that parsed timestamp field. 

the command timeslice cannot pass a field.

so how i can do it?

0

• 

  Latimer Luis

  • May 30, 2020 17:48

  I think you'll definitely want to consider using this event time as your message time and making some adjustments to your source configurations: https://help.sumologic.com/03Send-Data/Sources/04Reference-Information-for-Sources/Timestamps%2C-Time-Zones%2C-Time-Ranges%2C-and-Date-Formats#Specifying_a_custom_timestamp_format
  
  

  By specifying a custom timestamp format at the source, you can use Sumo's native time-based parameters and operators in your downstream queries, without having to workaround this. 
  
  Otherwise, the "hack" (again, NOT recommended) would be to trick the system into believing the event timestamp is the _messageTime at the start of your query. This requires the customer event timestamp to be in mills. 
  
  (search scope) ...
  | event_time_in_millis as _messageTime
  | timeslice 1m
  ... (rest of query)

  0

  Comment actions Permalink
• 

  Heng Zhang

  • June 21, 2020 00:22

  thank you. that works

  0

  Comment actions Permalink

Please sign in to leave a comment.