topic Re: Convert Splunk default time to human readable format in Splunk Search

Convert Splunk default time to human readable format

steveirogers — Mon, 28 Sep 2020 10:11:47 GMT

I have the following saved search which emails result daily to show indexing volume:
index=_internal host=prodlog todaysBytesIndexed LicenseManager-Audit NOT source=*web_service.log startdaysago=30 enddaysago=0 | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | timechart avg(Daily_Indexing_Volume_in_MBs) by host

However, in the emailed report, the date format is as follows:



_time             prodlog

1320642000


1320728400


1320814800  9392.988527

1320901200  23420.692374

1320987600  9222.176128

1321074000  8878.713042

Is it possible to convert the "_time" field to a user-friendly format? I searched throught some of the other questions but none really addressed this specific question.

Thanks.

Re: Convert Splunk default time to human readable format

yannK — Wed, 07 Dec 2011 17:50:30 GMT

You can use the convert functions.
see http://docs.splunk.com/Documentation/Splunk/4.2.4/SearchReference/Convert

example to convert and store in a new field
| convert ctime(_time) as time | table _time time

Re: Convert Splunk default time to human readable format

jaceknykis — Mon, 28 Sep 2020 10:11:50 GMT

Hi,

You could use strftime function for eval command to convert it. For example:

| eval human_readable_time=strftime(_time, "%Y-%d-%m %H:%M")

Re: Convert Splunk default time to human readable format

steveirogers — Wed, 14 Dec 2011 15:36:39 GMT

Jaceknykis and yannK, thank you both for responding to my query. (I tried to respond sooner but I was having problems logging to SplunkAnswers.

I tried both methods but the results did not change.
The problem might be in what I am trying to do. When I run the Saved Search manually in the browser, the results display correctly with formatted dates like this:



11/13/11 12:00:00.000 AM 3007.768024 

11/14/11 12:00:00.000 AM 2731.953137 

11/15/11 12:00:00.000 AM 9833.730893

However, I have this Saved Search implemented to run on a schedule and to email the results. The emailed results have the strangely formatted date like this:

 

1321160400  3007.768024

1321246800  2731.953137

1321333200  9833.730893

Any thoughts? Do I need to run some "conversion" on the output results instead?

Thanks again for your response.

Re: Convert Splunk default time to human readable format

gnovak — Wed, 14 Dec 2011 15:51:20 GMT

I have a similar search and I added | eval SpaceGB = Space/1048576 to my search and it seemed to work to convert my numbers to GB. I had the same issue.

My entire search I have looks something like this:

This search sorts the data and puts it into a table. Maybe try incorporating the | eval SpaceGB = Space/1048576 into your search and see if this makes a difference?

Re: Convert Splunk default time to human readable format

steveirogers — Mon, 28 Sep 2020 10:13:38 GMT

Great. Thanks gnovak, jaceknykis, yannK. Problem solved. It took portions of all of your responses. First I used the to get the time a usable format, but the dates in my alert were still not readable.
Then it dawned on me after reading gnovak's response that I was using the "timechart" function in my alert. I converted the "timechart" to "table display_time, indexing_volume" and "magically" the dates in my alert are in the correct format.

Thanks very much for all you help and pointing me in the right direction.

Re: Convert Splunk default time to human readable format

gnovak — Wed, 14 Dec 2011 20:13:50 GMT

cool! glad it worked out!