Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

using _time in a scheduled search

kagouros1
Explorer
‎07-24-2013 11:08 PM

Hi,

I have the following problem and am wondering if this is a bug or am I doing something wrong:
I use a scheduled search to find some events with a specific windows error ID. Then I look at it as a table using:

|table _time,

No I created a scheduled search based on that, where I send the result as an email with a csv-attachment.
In the csv-attachment (as opposed to the interactive version) I get the _time column filled in epoch (seconds since 1970) format instead of a human readable form that I get in the search app. Is this a bug or do I have to do something to make this work properly. Everything on 5.0.3.

Cheers,

Konstantin

Tags (1)
Reply

linu1988
Champion
‎07-24-2013 11:22 PM

Hello Konstantin,
I seems like that _time is converted to the epoch format. But if you want to show it in the conventional format. Please use the strftime() fuction before you do the table

eval TimeStamp=strftime(_time,"%d/%m/%y %H:%M:%s %p")|table TimeStamp,

Thanks

Reply

martin_mueller
SplunkTrust
SplunkTrust
‎07-25-2013 03:31 AM

In the search app you get a humanly readable conversion for _time by automagic, underneath it's epoch seconds there as well. You can verify this by adding | eval foo = _time to some query, it will show epoch seconds for fóo and humanly readable for _time.

Manually, this for-view formatting without changing the underlying value is invoked by the SPL command fieldformat, see more explanation there.

0 Karma
Reply

linu1988
Champion
‎07-25-2013 03:19 AM

Please accept the answer if it was the solution/helpful!! Thanks

0 Karma
Reply

linu1988
Champion
‎07-24-2013 11:30 PM

Happy to Help!! 🙂

0 Karma
Reply

kagouros1
Explorer
‎07-24-2013 11:27 PM

Thanks this fixes my problem. Just wondering why it is not converted to epoch if I do this from the search app. However I can work with this 🙂

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...