Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I display the date in my report

ttudor
Explorer
‎10-08-2014 08:28 AM

I am new to splunk and I am using the app search and reporting. I am trying to display the event date in my search results. I have three fields date_mday, date_month, date_year in the log file. I want to combine those three fields into one field that displays on the report. Any suggestions?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hortonew
Builder
‎10-08-2014 08:30 AM

I think you're looking for the _time field. e.g. | table _time, field1, field2

View solution in original post

Reply
Solved! Jump to solution

jeremiahc4
Builder
‎10-08-2014 08:58 AM

I think you want the strftime() method of the eval command;

strftime(X,Y)

This function takes an epochtime value, X, as the first argument and renders it as a string using the format specified by Y. For a list and descriptions of format options, refer to the topic "Common time format variables". This example returns the hour and minute from the _time field:

... | eval n=strftime(_time, "%H:%M")

Use the following to determine which pieces of _time to use for the date;
http://docs.splunk.com/Documentation/Splunk/6.1.4/SearchReference/Commontimeformatvariables

It would appear %F would be what you need (i.e. | eval n=strftime(_time, "%F")

0 Karma
Reply
Solved! Jump to solution
Solution

hortonew
Builder
‎10-08-2014 08:30 AM

I think you're looking for the _time field. e.g. | table _time, field1, field2

Reply
Solved! Jump to solution

janderja
New Member
‎04-01-2015 10:57 AM

I just want to add the date/time to the report to indicate when the report was created or over what period of time that pertains to the analysis.

0 Karma
Reply
Solved! Jump to solution

ttudor
Explorer
‎10-08-2014 09:46 AM

I changed the code to
| stats count by sch_id, java_version, _time | eval n=strftime(_time, "%m %d, %Y" ) |

I am still getting the 2014-10-08 08:36:08

0 Karma
Reply
Solved! Jump to solution

ttudor
Explorer
‎10-08-2014 10:03 AM

Perfect thank you

0 Karma
Reply
Solved! Jump to solution

hortonew
Builder
‎10-08-2014 09:53 AM

You're doing a stats function on the variable "_time" so it will display that. Again, you want to do your eval before your stats function, and do the stats on the new variable "n"

0 Karma
Reply
Solved! Jump to solution

ttudor
Explorer
‎10-08-2014 09:41 AM

When I run

| stats count by sch_id, java_version _time | eval _time=strftime(_time, "%H:%M")

It returns

0Nan-NaN-NaN–NaN:NaN:NaN

0 Karma
Reply
Solved! Jump to solution

hortonew
Builder
‎10-08-2014 09:48 AM

you should be doing the stats function after the eval function. you should also declare a new time variable:

| eval newtime=strftime(_time, "%H:%M") | stats count by sch_id, java_version newtime

0 Karma
Reply
Solved! Jump to solution

ttudor
Explorer
‎10-08-2014 08:37 AM

Thanks, it pulls in the information. It displays as 2014-10-08 08:36:08. Anyway I can get it to 10/08/2014 ?

0 Karma
Reply
Solved! Jump to solution

hortonew
Builder
‎10-08-2014 08:41 AM

| eval desired_time=strftime(_time, "%m/%d/%Y") | table desired_time, _time

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...