I have a search that looks like this:
index=dog sourcetype=cat earliest=-30d 
[| inputlookup LU1_siem_set_list where f_id=*$pick_f_id$*
| stats values(mc) as search
| eval search="mc=".mvjoin(search," OR mc=")]
| stats latest(_time) by ip.what i see is :
mc                                             latest(_time)
00.00.01                                  1715477192
00.00.02                                   1715477192                                  
00.00.03                                   1715477192  how to present this in a dashboard with time formatted.
Thanks!
Thanks, it does help, but when I'm trying to put it in a column chart it does not display anything except the field names _time and ip.
Am I doing something wrong?
Thanks!
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		Verify the IP field does not have any null values because will not show results if a groupby field has null values.
 
					
				
		
 
		
		
		
		
		
	
			
		
		
			
					
		If the field is named _time then Splunk will format it automatically.
index=dog sourcetype=cat earliest=-30d 
[| inputlookup LU1_siem_set_list where f_id=*$pick_f_id$*
  | stats values(mc) as search
  | eval search="mc=".mvjoin(search," OR mc=")]
| stats latest(_time) as _time by ipOtherwise, you can use the convert command to format it.
index=dog sourcetype=cat earliest=-30d 
[| inputlookup LU1_siem_set_list where f_id=*$pick_f_id$*
  | stats values(mc) as search
  | eval search="mc=".mvjoin(search," OR mc=")]
| stats latest(_time) by ip
| convert ctime('latest(_time)')