https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100685#M26003 <P>Its custom time, so not possible to set the time range. Following search worked for me.</P> <P>... | convert timeformat="%m/%e/%Y %I:%M:%S %p" mktime(Time) AS Time_epoch mktime(now) AS now_epoch | eval age=round((Time_epoch-now_epoch)/60/60/24)</P> Mon, 28 Sep 2020 14:23:38 GMT d12harshal 2020-09-28T14:23:38Z https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100683#M26001 <P>Dear Splunkers,<BR /> My search results contain fields <STRONG>Name, Time</STRONG> as Test1, Test2, Test3, Test4 and 1375351200.000, 1417863600.000, 1375351200.000, 1375351200.000</P> <P>My Requirement: I trying to convert time to human readable standard format, and also final report must only contain a report with time(date) less than a week. Adding of extra fields also not a problem.</P> <P>Could any please help me out. Thanks in advance.</P> <P>Regards,<BR /> Harshal</P> Fri, 19 Jul 2013 08:42:41 GMT https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100683#M26001 d12harshal 2013-07-19T08:42:41Z https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100684#M26002 <P>Add the following and then add the field time to your table.<BR /> | convert ctime(_time) as time</P> <P>Then set your search range for past seven days or specify the time range in the time range picker.</P> Fri, 19 Jul 2013 12:28:12 GMT https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100684#M26002 jgedeon120 2013-07-19T12:28:12Z https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100685#M26003 <P>Its custom time, so not possible to set the time range. Following search worked for me.</P> <P>... | convert timeformat="%m/%e/%Y %I:%M:%S %p" mktime(Time) AS Time_epoch mktime(now) AS now_epoch | eval age=round((Time_epoch-now_epoch)/60/60/24)</P> Mon, 28 Sep 2020 14:23:38 GMT https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100685#M26003 d12harshal 2020-09-28T14:23:38Z https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100686#M26004 <P>Hi,</P> <P>I am not sure why "mktime" instead "ctime" was used here.</P> <P>I would suggest the following search command.</P> <PRE><CODE>... | convert timeformat="%m/%d/%y %H:%M:%S" ctime(Time) as NewTime | where now() - Time &lt; 604800 </CODE></PRE> <P>Let me know if it works for you.</P> <P>EDIT: Just realized that earliest will work for "_time" field only which is not the time field for your case. So modified the search query to use "now". However the newer search might not work in all cases. The number 604800 is equal to number of seconds in a week.</P> <P>Regards,<BR /> Amit Saxena</P> Sun, 28 Jul 2013 13:55:45 GMT https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100686#M26004 amit_saxena 2013-07-28T13:55:45Z https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100687#M26005 <P>Sorry it was a long time, but in my case it is not possible with ctime.</P> Wed, 14 Aug 2013 10:59:41 GMT https://community.splunk.com/t5/Splunk-Search/Field-time-should-be-less-than-a-week/m-p/100687#M26005 d12harshal 2013-08-14T10:59:41Z