topic Re: Unable to rename _time as Time in Splunk Search

Unable to rename _time as Time

wuming79 — Mon, 12 Jun 2017 16:15:35 GMT

Hi,

I'm trying to rename _time as Time so that it will display the timestamp in YYYY-MM-DD HH:MM:SS. But when I do rename _time AS "Time" | table Time, it will show the time as Epoch time which was the original format extracted from the log file. How do I rename and table it correctly?

Re: Unable to rename _time as Time

cmerriman — Mon, 12 Jun 2017 16:18:27 GMT

try to do an |eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")|table time...

Re: Unable to rename _time as Time

horsefez — Mon, 12 Jun 2017 16:22:17 GMT

Hi wuming79,

you can't rename the _time field without getting the value all f*cked up.

Instead do something like this:

yoursearch | eval TIME=strftime(_time, "%d-%m-%Y %H:%M:%S") | table TIME | rename TIME AS whateveryouwantittobe

Re: Unable to rename _time as Time

BlueSocket — Mon, 12 Jun 2017 16:22:53 GMT

I suggest that you don't do a rename of _time, try using an eval to add "Time" and then remove the _time with fields -, such as;

| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time | table Time

That works for me.

Re: Unable to rename _time as Time

wuming79 — Mon, 12 Jun 2017 16:37:31 GMT

Thanks Guys!

Re: Unable to rename _time as Time

woodcock — Mon, 12 Jun 2017 16:41:18 GMT

The _time field is very special in a number of ways and one of them is that it automatically does this under the sheets:

| fieldformat _time = strftime(_time, <YourLocalRegionTimeFormatStringHere>)

You can do the same like this:

| rename _time AS Time
| fieldformat Time = strftime(Time, "%m/%d/%Y %H:%M:%S")

Re: Unable to rename _time as Time

woodcock — Mon, 12 Jun 2017 16:42:05 GMT

Please see my other answer below; the way to make it exactly the same is with fieldformat, not with eval.

Re: Unable to rename _time as Time

wuming79 — Mon, 19 Jun 2017 05:21:53 GMT

Hi Guys,

I just realized after using the suggested formats, my earliest to latest timestamp is from right to left instead of the normal left to right. How can I reversed this to go from left to right?

How do I also make the timestamp display on the x-axis? There is only label rotation in x-axis format.

Re: Unable to rename _time as Time

rjgreg — Fri, 01 Oct 2021 18:50:34 GMT

@woodcock I have been dragging though a ton of these threads trying to find a simple way to fix how my field _time output information. I just wanted the date, so I took off the time aspect of your command and BOOM. Thank you.

| rename _time AS Date | fieldformat Date = strftime(Date, "%Y-%m-%d")

Output:

Date

2021-10-01