Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why does outputlookup gives a different _time column compared to "export", in a .csv file?

rosho
Communicator
‎06-07-2019 01:18 PM

Hi
I used SPL to get the number of logins by the hour for 1 month. The goal is to later import them into python using pandas.
But I am having problems understanding the "_time" column.

This is what I see in Splunk's SPL search result:
alt text

But when I export it into .csv, I see: 

                      _time   Logins
2019-05-01T00:00:00.000-0400    3735
2019-05-01T01:00:00.000-0400    4665
2019-05-01T02:00:00.000-0400    5860
2019-05-01T03:00:00.000-0400    5184
2019-05-01T04:00:00.000-0400    5324
2019-05-01T05:00:00.000-0400    5523
2019-05-01T06:00:00.000-0400    8863
2019-05-01T07:00:00.000-0400    12493

And when I use "outpulookup" to create the .csv, I see: 

   _time    logins  _span
1556683200  3735    3600
1556686800  4665    3600
1556690400  5860    3600
1556694000  5184    3600
1556697600  5324    3600
1556701200  5523    3600
1556704800  8863    3600
1556708400  12493   3600

The SPL to get the search results are:

index=fortigate status=logon
|timechart span=1h count(status) as logins

Thank you

Preview file
14 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martynoconnor
Communicator
‎06-07-2019 01:21 PM

When you export to csv, Splunk is showing literally what you see in the search results, when you do outputlookup, Splunk is inserting the value for _time that the field normally has, which is an epoch time. Splunk treats _time as a special field and so will automatically convert epoch to human readable in the UI. That's why it looks different when you compare the two searches. One is deliberately meant to be human readable, the other is meant to be readable by Splunk.

View solution in original post

Reply
Solved! Jump to solution
Solution

martynoconnor
Communicator
‎06-07-2019 01:21 PM

When you export to csv, Splunk is showing literally what you see in the search results, when you do outputlookup, Splunk is inserting the value for _time that the field normally has, which is an epoch time. Splunk treats _time as a special field and so will automatically convert epoch to human readable in the UI. That's why it looks different when you compare the two searches. One is deliberately meant to be human readable, the other is meant to be readable by Splunk.

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...