<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic Re: _time related... in Splunk Search</title>
    <link>https://community.splunk.com/t5/Splunk-Search/time-related/m-p/752199#M242593</link>
    <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/273058"&gt;@Raj_Splunk_Ing&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Splunk does store _time as Unix epoch time. But when you use commands like | table _time, Splunk automatically formats _time into a human-readable timestamp.&lt;/P&gt;&lt;P&gt;With where clause you can use something like below,&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;&amp;lt;BASE_SEARCH&amp;gt;
| eval date_only=strftime(_time, "%Y-%m-%d")
| where date_only &amp;gt;= "2025-07-01" AND date_only &amp;lt;= "2025-07-31"&lt;/LI-CODE&gt;&lt;P&gt;&lt;BR /&gt;Splunk's built-in time modifiers are even more efficient.&lt;BR /&gt;Eg:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index=your_index sourcetype=your_sourcetype earliest="07/01/2025:00:00:00" latest="07/31/2025:23:59:59"&lt;/LI-CODE&gt;&lt;P&gt;&lt;BR /&gt;Regards,&lt;BR /&gt;Prewin&lt;BR /&gt;If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!&lt;/P&gt;</description>
    <pubDate>Tue, 26 Aug 2025 04:12:42 GMT</pubDate>
    <dc:creator>PrewinThomas</dc:creator>
    <dc:date>2025-08-26T04:12:42Z</dc:date>
    <item>
      <title>_time related...</title>
      <link>https://community.splunk.com/t5/Splunk-Search/time-related/m-p/752194#M242591</link>
      <description>&lt;P&gt;Hi, it might be very simple but i am missing something&lt;BR /&gt;when i look at the _time value along with other fields in the splunk results i see the _time values like below&lt;/P&gt;&lt;P&gt;This is not unix epoch time right? because unix/epoch time values will be like all numbers 7589541266985 (as an example) - correct?&lt;/P&gt;&lt;P&gt;I read _time is by default epoch then why do i see this format in my results when i run the query ? |table _time, field1,field2&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;_time&lt;/STRONG&gt;&lt;/P&gt;&lt;P&gt;&lt;SPAN&gt;2025-07-26 04:45:16.549&lt;BR /&gt;&lt;BR /&gt;from &lt;STRONG&gt;_time&amp;nbsp;&lt;/STRONG&gt;i just want to get the date part without time like 2025-07-26 and use it in the where clause as filter to restrict the data for july - previous month data like&amp;nbsp; &amp;gt;=2025-07-01 and &amp;lt;=2025-07-32&lt;/SPAN&gt;&lt;/P&gt;</description>
      <pubDate>Mon, 25 Aug 2025 23:04:57 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/time-related/m-p/752194#M242591</guid>
      <dc:creator>Raj_Splunk_Ing</dc:creator>
      <dc:date>2025-08-25T23:04:57Z</dc:date>
    </item>
    <item>
      <title>Re: _time related...</title>
      <link>https://community.splunk.com/t5/Splunk-Search/time-related/m-p/752195#M242592</link>
      <description>&lt;P&gt;I believe that you are looking in a Splunk views. &amp;nbsp;Across nearly all interfaces, Splunk always displays the field named _time as calendar time. &amp;nbsp;You can try this to see if that field is epic or string:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;| eval question = if(isnum(_time), "is", "is not") . " numeric"&lt;/LI-CODE&gt;&lt;P&gt;You can also display arbitrary numeric value as calendar entry. &amp;nbsp;For example&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;| makeresults format=csv data="anynumber
1234"
| eval _time = anynumber&lt;/LI-CODE&gt;&lt;TABLE&gt;&lt;TBODY&gt;&lt;TR&gt;&lt;TD&gt;_time&lt;/TD&gt;&lt;TD&gt;anynumber&lt;/TD&gt;&lt;/TR&gt;&lt;TR&gt;&lt;TD&gt;1969-12-31 16:20:34&lt;/TD&gt;&lt;TD&gt;1234&lt;/TD&gt;&lt;/TR&gt;&lt;/TBODY&gt;&lt;/TABLE&gt;</description>
      <pubDate>Tue, 26 Aug 2025 01:48:51 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/time-related/m-p/752195#M242592</guid>
      <dc:creator>yuanliu</dc:creator>
      <dc:date>2025-08-26T01:48:51Z</dc:date>
    </item>
    <item>
      <title>Re: _time related...</title>
      <link>https://community.splunk.com/t5/Splunk-Search/time-related/m-p/752199#M242593</link>
      <description>&lt;P&gt;&lt;a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/273058"&gt;@Raj_Splunk_Ing&lt;/a&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Splunk does store _time as Unix epoch time. But when you use commands like | table _time, Splunk automatically formats _time into a human-readable timestamp.&lt;/P&gt;&lt;P&gt;With where clause you can use something like below,&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;&amp;lt;BASE_SEARCH&amp;gt;
| eval date_only=strftime(_time, "%Y-%m-%d")
| where date_only &amp;gt;= "2025-07-01" AND date_only &amp;lt;= "2025-07-31"&lt;/LI-CODE&gt;&lt;P&gt;&lt;BR /&gt;Splunk's built-in time modifiers are even more efficient.&lt;BR /&gt;Eg:&lt;/P&gt;&lt;LI-CODE lang="markup"&gt;index=your_index sourcetype=your_sourcetype earliest="07/01/2025:00:00:00" latest="07/31/2025:23:59:59"&lt;/LI-CODE&gt;&lt;P&gt;&lt;BR /&gt;Regards,&lt;BR /&gt;Prewin&lt;BR /&gt;If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!&lt;/P&gt;</description>
      <pubDate>Tue, 26 Aug 2025 04:12:42 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Splunk-Search/time-related/m-p/752199#M242593</guid>
      <dc:creator>PrewinThomas</dc:creator>
      <dc:date>2025-08-26T04:12:42Z</dc:date>
    </item>
  </channel>
</rss>

