https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292073#M88224 <P>Or use the fieldformat command ( <CODE>| fieldformat_time=strftime(_time,"%Y-%m")</CODE> ).</P> Thu, 09 Feb 2017 17:29:24 GMT somesoni2 2017-02-09T17:29:24Z https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292070#M88221 <P>I have 2 searches: </P> <P><CODE>search1</CODE> and <CODE>search2</CODE></P> <P>search 1 gives :</P> <PRE><CODE>_time kpi1 kpi2 kpi3 kpi4 2016-01 493.26 636.06 56.322 1129.32 </CODE></PRE> <P>search 2 gives :</P> <PRE><CODE>_time kpi1 kpi2 kpi3 kpi4 2017-01 193.26 44.06 34.322 239.32 </CODE></PRE> <P>I combine them with the <CODE>append</CODE> (e.g. <CODE>search 1 ... | append [ search2 ...]</CODE>)</P> <PRE><CODE> _time kpi1 kpi2 kpi3 kpi4 2016 470.55 277.07 37.060 747.62 2017 193.26 44.06 34.322 239.32 </CODE></PRE> <P>but not the time format loses the month (e.g 2017-01 becomes 2017)</P> <P><STRONG>How do I get it to hold on to the month?</STRONG></P> <PRE><CODE> _time kpi1 kpi2 kpi3 kpi4 2016-01 470.55 277.07 37.060 747.62 2017-01 193.26 44.06 34.322 239.32 </CODE></PRE> Thu, 09 Feb 2017 01:35:06 GMT https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292070#M88221 HattrickNZ 2017-02-09T01:35:06Z https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292071#M88222 <P>can you try to put _time into epoch on both searches and then change the format to YYYY-MM after the append to see if that works?</P> Thu, 09 Feb 2017 02:06:01 GMT https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292071#M88222 cmerriman 2017-02-09T02:06:01Z https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292072#M88223 <P>If you left _time in its original, epoch format in both searches, and each search is returning only a single record, then the interface may just be guessing that you only care about the year. Tell it what you want.</P> <PRE><CODE>| eval _time=strftime(_time,"%Y-%m") </CODE></PRE> <HR /> <P>See somesoni2's answer below, which leaves the underlying field in epoch format and probably should be the general way you do this stuff.</P> Thu, 09 Feb 2017 17:21:51 GMT https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292072#M88223 DalJeanis 2017-02-09T17:21:51Z https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292073#M88224 <P>Or use the fieldformat command ( <CODE>| fieldformat_time=strftime(_time,"%Y-%m")</CODE> ).</P> Thu, 09 Feb 2017 17:29:24 GMT https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292073#M88224 somesoni2 2017-02-09T17:29:24Z https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292074#M88225 <P>tks @DalJeanis, that worked.</P> Thu, 09 Feb 2017 21:11:10 GMT https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292074#M88225 HattrickNZ 2017-02-09T21:11:10Z https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292075#M88226 <P>Awesome! Good to hear.</P> Thu, 09 Feb 2017 23:26:57 GMT https://community.splunk.com/t5/Splunk-Search/appending-2-searches-date-format-is-lost-YYYY-MM-becomes-YYYY/m-p/292075#M88226 DalJeanis 2017-02-09T23:26:57Z