Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

OutputCSV result is different than Splunk display

mhng
New Member
‎12-23-2014 08:51 PM

Hi,

I've tried to query search command on Splunk which is (CALL_STOPPED OR CALL_SUCCESSFUL) COMLib earliest=11/11/2014:00:00:00 | timechart span=1d count AS "Calls"The result display in Splunk will be two columns ( _time, Calls).

Eg. _time Calls
2014-11-11 30

But when I tried to export to CSV via this command (CALL_STOPPED OR CALL_SUCCESSFUL) COMLib earliest=11/11/2014:00:00:00 | timechart span=1d count AS "Calls"| outputcsv result.csv, the CSV will display another format.

Eg. _time Calls _span _spandays
1415635200 0 86400 1

Can I know why this happening?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎12-24-2014 09:10 PM

As Martin points out, you want to change the epoch(unix) time format to human readable. Your search should become something like this:

 (CALL_STOPPED OR CALL_SUCCESSFUL) COMLib earliest=11/11/2014:00:00:00 | timechart span=1d count AS "Calls" | eval _time=humanreadabletime  | fieldformat humanreadabletime = strftime(humanreadabletime, "%F %T.%3N") | table humanreadabletime Calls |  outputcsv result.csv

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

esix_splunk
Splunk Employee
Splunk Employee
‎12-24-2014 09:10 PM

As Martin points out, you want to change the epoch(unix) time format to human readable. Your search should become something like this:

 (CALL_STOPPED OR CALL_SUCCESSFUL) COMLib earliest=11/11/2014:00:00:00 | timechart span=1d count AS "Calls" | eval _time=humanreadabletime  | fieldformat humanreadabletime = strftime(humanreadabletime, "%F %T.%3N") | table humanreadabletime Calls |  outputcsv result.csv
0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎12-23-2014 09:20 PM

Field names with "_"'s in them are internal fields in Splunk. Outcsv is ouputing those as you have not formatted the search to only use those fields. So your search should be:

(CALL_STOPPED OR CALL_SUCCESSFUL) COMLib earliest=11/11/2014:00:00:00 | timechart span=1d count AS "Calls"| table _time Calls | outputcsv result.csv

That will output to csv the proper fields you want to see.

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎12-24-2014 08:33 PM

That's the underlying timestamp representation as unix timestamps. You can format that manually if needed, for example ... |fieldformat field = strftime(field, "%F %T.%3N") will give you a date and time in human-readable format. All Splunk commands such as timechart work off the unix timestamp though, so format at the very end if needed. Additionally, the _time field should usually be formatted according to your browser's locale automatically.

0 Karma
Reply
Solved! Jump to solution

mhng
New Member
‎12-24-2014 08:17 PM

Thanks esix_splunk,

One more question, the CSV file has output column I needed. However, on the _time column is still show 1415635200 value, instead of the date(e.g. 2014-11-11). Any comments for this issue?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...