Splunk Search

Funny Looking Date

Communicator

I have a search that ends with ... | bucket span=1d _time | stats count first(_time) as Date by UserName but the date is showing up as '138380400' instead of 11/07/2013. Do I need to run a function on the date field to format it?

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Yes, the _time value you see is the epoch time so you would have to format the date time using one of the following.

...| convert timeformat="%m/%d/%Y" ctime(_time) AS _time

...|eval _time=strftime(_time,"%m/%d/%Y")

View solution in original post

SplunkTrust
SplunkTrust

Yes, the _time value you see is the epoch time so you would have to format the date time using one of the following.

...| convert timeformat="%m/%d/%Y" ctime(_time) AS _time

...|eval _time=strftime(_time,"%m/%d/%Y")

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!