I have the following saved search which emails result daily to show indexing volume:
index=_internal host=prodlog todaysBytesIndexed LicenseManager-Audit NOT source=*web_service.log startdaysago=30 enddaysago=0 | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | timechart avg(Daily_Indexing_Volume_in_MBs) by host
However, in the emailed report, the date format is as follows:
_time prodlog
1320642000
1320728400
1320814800 9392.988527
1320901200 23420.692374
1320987600 9222.176128
1321074000 8878.713042
Is it possible to convert the "_time" field to a user-friendly format? I searched throught some of the other questions but none really addressed this specific question.
Thanks.
Great. Thanks gnovak, jaceknykis, yannK. Problem solved. It took portions of all of your responses. First I used the
Then it dawned on me after reading gnovak's response that I was using the "timechart" function in my alert. I converted the "timechart" to "table display_time, indexing_volume" and "magically" the dates in my alert are in the correct format.
Thanks very much for all you help and pointing me in the right direction.
Great. Thanks gnovak, jaceknykis, yannK. Problem solved. It took portions of all of your responses. First I used the
Then it dawned on me after reading gnovak's response that I was using the "timechart" function in my alert. I converted the "timechart" to "table display_time, indexing_volume" and "magically" the dates in my alert are in the correct format.
Thanks very much for all you help and pointing me in the right direction.
cool! glad it worked out!
I have a similar search and I added | eval SpaceGB = Space/1048576 to my search and it seemed to work to convert my numbers to GB. I had the same issue.
My entire search I have looks something like this:
host="ynfs1" sourcetype=userdiskusage earliest=-1d | rex field=_raw "(?<Space>\d+)\s*\/home\/(?<UserName>\S+)" | search NOT UserName="shares" | eval SpaceGB = Space/1048576 | sort SpaceGB,UserName desc | head 20 | table UserName,SpaceGB
This search sorts the data and puts it into a table. Maybe try incorporating the | eval SpaceGB = Space/1048576 into your search and see if this makes a difference?
Jaceknykis and yannK, thank you both for responding to my query. (I tried to respond sooner but I was having problems logging to SplunkAnswers.
I tried both methods but the results did not change.
The problem might be in what I am trying to do. When I run the Saved Search manually in the browser, the results display correctly with formatted dates like this:
11/13/11 12:00:00.000 AM 3007.768024
11/14/11 12:00:00.000 AM 2731.953137
11/15/11 12:00:00.000 AM 9833.730893
However, I have this Saved Search implemented to run on a schedule and to email the results. The emailed results have the strangely formatted date like this:
1321160400 3007.768024
1321246800 2731.953137
1321333200 9833.730893
Any thoughts? Do I need to run some "conversion" on the output results instead?
Thanks again for your response.
Hi,
You could use strftime function for eval command to convert it. For example:
| eval human_readable_time=strftime(_time, "%Y-%d-%m %H:%M")
You can use the convert functions.
see http://docs.splunk.com/Documentation/Splunk/4.2.4/SearchReference/Convert
example to convert and store in a new field
| convert ctime(_time) as time | table _time time