Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Did _time format (when displaying it) change?

Sqig
Path Finder
‎08-31-2012 09:37 AM

Hi. We recently upgraded from a 4.2 installation to 4.3.3 and a report that includes the _time field (which used to come out in epoch format) now displays the field as a formatted string.

I have changed nothing with the query. It has always been a search | timchart | eval (to rename a field) | fields _time,some,other,fields

That's all! No formatting, etc.

The _time value used to look like this: 1341288000

Now shows up like this, including the quotation marks (this is not from the same number though!): "2012-07-24 00:00:00.000 EDT"

Someone recently asked how to get epoch time, and the answer was to reference _time but as you can see. that has ceased to work for me!

Anyone know about this? The documentation still says this:

"The _time field is stored internally in UTC Format. It is translated to human-readable Unix time format when Splunk renders the search results (the very last step of search time event processing)."

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎08-31-2012 09:57 AM

I noticed this, as you used to have to format _time to be human readable as well.

However now, when generate data in tabular format with _time it shows as ascii human-readable. However when I rename the field from _time to something like Time it shows up as epoch. I then have to use eval to rearrange it.

You can try renaming the field.

View solution in original post

Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎08-31-2012 09:57 AM

I noticed this, as you used to have to format _time to be human readable as well.

However now, when generate data in tabular format with _time it shows as ascii human-readable. However when I rename the field from _time to something like Time it shows up as epoch. I then have to use eval to rearrange it.

You can try renaming the field.

Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎08-31-2012 10:54 AM

Depending where you see this, it may or may not be considered a bug. Certainly in the Web UI and in the CLI tools, it has rendered human-readable and time-zone corrected, and that would not be a bug. But if you're using the API or exporting to a file or something, then I would say that _time should remain as UTC epoch seconds.

0 Karma
Reply
Solved! Jump to solution

Sqig
Path Finder
‎08-31-2012 10:48 AM

Thank you very much. This does work. I'm in contact with Splunk regarding this as well, so they know about this issue.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...