Reporting

exporting data into a csv file in splunk + _time format changes to `2015-09-15T00:00:00.000+1200` but want `"2015-09-15 00:00:00`

HattrickNZ
Motivator

exporting data into a csv file in splunk

i have a search that gives me data as follows in the stats tab.

_time   ABC1-OUT-MB ABC2-OUT-Mbps
2015-09-15 00:00:00 24144.1990  603.604974
2015-09-15 00:05:00 23642.2730  591.056826
2015-09-15 00:10:00 22453.5770  561.339425
2015-09-15 00:15:00 20894.8522  522.371305
2015-09-15 00:20:00 20389.8815  509.747037
2015-09-15 00:25:00 19339.4728  483.486819

when I export it to a csv file the _time column gets this funky formatting 2015-09-15T00:00:00.000+1200

_time   ABC1-OUT-MB ABC2-OUT-Mbps
2015-09-15T00:00:00.000+1200    24144.199   603.604974
2015-09-15T00:05:00.000+1200    23642.273   591.056826
2015-09-15T00:10:00.000+1200    22453.577   561.339425
2015-09-15T00:15:00.000+1200    20894.8522  522.371305
2015-09-15T00:20:00.000+1200    20389.8815  509.747037
2015-09-15T00:25:00.000+1200    19339.4728  483.486819

Is there a way I can export it into csv so that it looks liket the below format in the csv?
2015-09-15 00:00:00

my workaround at the minute is to fiddle with it inexcel

0 Karma

gcato
Contributor

Hi Hattrick,

The _time field is treated specially when displayed in splunk. The easiest way would be to eval the _time value into another field with strftime() and then use the new time field instead. For example

... | eval mytime = strftime(_time, "%Y-%m-%d %H:%M:%S") | table mytime ...

Hope that helps.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...