Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

using _time in a scheduled search

kagouros1
Explorer
‎07-24-2013 11:08 PM

Hi,

I have the following problem and am wondering if this is a bug or am I doing something wrong:
I use a scheduled search to find some events with a specific windows error ID. Then I look at it as a table using:

|table _time,

No I created a scheduled search based on that, where I send the result as an email with a csv-attachment.
In the csv-attachment (as opposed to the interactive version) I get the _time column filled in epoch (seconds since 1970) format instead of a human readable form that I get in the search app. Is this a bug or do I have to do something to make this work properly. Everything on 5.0.3.

Cheers,

Konstantin

Tags (1)
Reply

linu1988
Champion
‎07-24-2013 11:22 PM

Hello Konstantin,
I seems like that _time is converted to the epoch format. But if you want to show it in the conventional format. Please use the strftime() fuction before you do the table

eval TimeStamp=strftime(_time,"%d/%m/%y %H:%M:%s %p")|table TimeStamp,

Thanks

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-25-2013 03:31 AM

In the search app you get a humanly readable conversion for _time by automagic, underneath it's epoch seconds there as well. You can verify this by adding | eval foo = _time to some query, it will show epoch seconds for fóo and humanly readable for _time.

Manually, this for-view formatting without changing the underlying value is invoked by the SPL command fieldformat, see more explanation there.

0 Karma
Reply

linu1988
Champion
‎07-25-2013 03:19 AM

Please accept the answer if it was the solution/helpful!! Thanks

0 Karma
Reply

linu1988
Champion
‎07-24-2013 11:30 PM

Happy to Help!! 🙂

0 Karma
Reply

kagouros1
Explorer
‎07-24-2013 11:27 PM

Thanks this fixes my problem. Just wondering why it is not converted to epoch if I do this from the search app. However I can work with this 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...