https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223161#M43710 <P>What version of Splunk are you running on what OS and please add the search you are using - thanks.</P> Thu, 11 Aug 2016 20:47:17 GMT MuS 2016-08-11T20:47:17Z https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223160#M43709 <P>I am a newbie on Splunk. When I do a search on Splunk, time is shown as normal <CODE>MM:DD:YYYY HH:MM:SS</CODE> format </P> <P>However, when I export the file to CSV, it automatically converts time to Epoch time.</P> <P>Is there a better way to achieve this? I tried saving time to different variable in the hope it saves as string. No luck with anything. Any help is much appreciated.</P> <P>Thanks in advance</P> Thu, 11 Aug 2016 20:38:54 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223160#M43709 rajnepali 2016-08-11T20:38:54Z https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223161#M43710 <P>What version of Splunk are you running on what OS and please add the search you are using - thanks.</P> Thu, 11 Aug 2016 20:47:17 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223161#M43710 MuS 2016-08-11T20:47:17Z https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223162#M43711 <P>I am running Splunk 5.0.3 on Ubuntu 12.04. My query looks like:</P> <PRE><CODE>eventtype="ossec" ossec_server="*" reporting_host!=ABC integrity NOT HKEY NOT tag::eventtype=noise NOT WinEvtLog NOT repo |transaction reporting_host,file_dirname|fields time, reporting_host, reporting_ip, action,file_name |mvexpand file_name </CODE></PRE> Thu, 11 Aug 2016 20:52:38 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223162#M43711 rajnepali 2016-08-11T20:52:38Z https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223163#M43712 <P>Seems like your search results include the _time field which shows human-readable format in Splunk visualizations (it's a special field) but holds an epoch value. When exported as csv, it's original epoch value can be seen. </P> <P>If you want to export a string formatted date, then you'd need to create a formatted string out of _time field, like this</P> <PRE><CODE>eventtype="ossec" ossec_server="*" reporting_host!=ABC integrity NOT HKEY NOT tag::eventtype=noise NOT WinEvtLog NOT repo |transaction reporting_host,file_dirname | eval time=strftime(_time,"%m/%d/%Y %H:%M:%S.%N") |fields time, reporting_host, reporting_ip, action,file_name |mvexpand file_name </CODE></PRE> Thu, 11 Aug 2016 21:26:18 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223163#M43712 somesoni2 2016-08-11T21:26:18Z https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223164#M43713 <P>Thanks much @somesoni2. That works great.</P> Thu, 11 Aug 2016 21:47:53 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-CSV-export-change-the-time-format-to-Epoch-time/m-p/223164#M43713 rajnepali 2016-08-11T21:47:53Z