https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84023#M21418 <P>The field name is <CODE>_indextime</CODE>, as shown. he is formatting it for you using the <CODE>convert</CODE> command <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert">http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert</A> since it is an epoch time and you might want it displayed differently. There is of course more than one way to reformat the timestamp.</P> Sat, 05 Oct 2013 23:44:18 GMT gkanapathy 2013-10-05T23:44:18Z https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84019#M21414 <P>I'm having a hard time displaying the event index time in a table. What is the field name for index time?</P> Fri, 04 Oct 2013 21:12:52 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84019#M21414 echojacques 2013-10-04T21:12:52Z https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84020#M21415 <P>Something like '* | convert ctime(_indextime) as it | table host it'.</P> Fri, 04 Oct 2013 21:31:21 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84020#M21415 jkerai 2013-10-04T21:31:21Z https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84021#M21416 <P>Isn't there just a field name to display the event or index time? I tried the above and it didn't work.</P> Fri, 04 Oct 2013 22:45:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84021#M21416 echojacques 2013-10-04T22:45:54Z https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84022#M21417 <P>Field names starting with an underscore usually will not show up in a results table. The easiest thing to do is use the <CODE>eval</CODE> command to make a new field that is viewable. Note it will be in epoch time (that is seconds-since 1/1/1970 00:00:00 UTC)</P> <P>In addition to the technique shown by Jag above, you could try adding this to your search:</P> <PRE><CODE>| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S") </CODE></PRE> <P>which should make a new field called <CODE>indextime</CODE> with a ISO-formatted value.</P> Sat, 05 Oct 2013 05:28:50 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84022#M21417 dwaddle 2013-10-05T05:28:50Z https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84023#M21418 <P>The field name is <CODE>_indextime</CODE>, as shown. he is formatting it for you using the <CODE>convert</CODE> command <A href="http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert">http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert</A> since it is an epoch time and you might want it displayed differently. There is of course more than one way to reformat the timestamp.</P> Sat, 05 Oct 2013 23:44:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84023#M21418 gkanapathy 2013-10-05T23:44:18Z https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84024#M21419 <P>Thank you.</P> Mon, 07 Oct 2013 16:00:41 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84024#M21419 echojacques 2013-10-07T16:00:41Z https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84025#M21420 <P>So I was able to display the time in a table by simply adding the filed " _time ". Works great and no eval or convert required!</P> Tue, 08 Oct 2013 15:29:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84025#M21420 echojacques 2013-10-08T15:29:38Z https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84026#M21421 <P>that is not the index time. that is the event time.</P> Tue, 08 Oct 2013 15:30:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84026#M21421 gkanapathy 2013-10-08T15:30:53Z https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84027#M21422 <P>Oh Ok, thanks for the clarification. Now thanks to the input I know how to display index time and the event time. Thanks again.</P> Tue, 08 Oct 2013 15:51:07 GMT https://community.splunk.com/t5/Splunk-Search/How-to-display-index-time-in-table/m-p/84027#M21422 echojacques 2013-10-08T15:51:07Z