topic Re: Unable to extract Time in search results in Splunk Search

Unable to extract Time in search results

ramprakash — Tue, 24 Mar 2020 16:49:02 GMT

Hi All,

I have proper timestamp logs in Splunk. I am able to extract time for all the searches except one.

index =mtp | stats count by Activity user

when i need count for these two fields, i am getting the result but not Time.

Can someone please suggest.

Re: Unable to extract Time in search results

richgalloway — Tue, 24 Mar 2020 17:02:04 GMT

The stats command discards all fields except those used in the command itself. In your example, only 'count', 'Activity', and 'user' will be available for use after stats. Depending on how you intend to use Time, try one of stats count, values(_time) as Time by Activity, user or stats count, latest(_time) as Time by Activity, user.

Re: Unable to extract Time in search results

ramprakash — Tue, 24 Mar 2020 17:41:24 GMT

Hey Thanks it worked but i am getting time in below format.

Activity
user
count
Time
accueil AD161 2 1585034778.911
accueil DRA4D 4 1584974193.304

Re: Unable to extract Time in search results

ramprakash — Tue, 24 Mar 2020 17:50:19 GMT

I am able to do so with below command

eval time=strftime(Time,"%m/%d/%y")