Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help to convert a unix time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I use a | stats min(_time) as time_min stats max(_time) as time_max command in my search
The time is displayed in Unix format
Example :
Time_min=1688019886.761
Time-max=1690461727.136
I have added an eval time=strftime(_time, "%d-%m-%Y %H:%M" before the stats in order to convert the time but the result is sometimes strange because the max time is older than the min time
How to convert the time properly please?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need your search above and it needs to contain the _time field. Can you post your full SPL search?
<your search>
| stats min(_time) as time_min max(_time) as time_max
| convert ctime(time_min)
| convert ctime(time_max)
This should work with all Splunk installation:
index=_internal
| stats min(_time) as time_min max(_time) as time_max
| convert ctime(time_min)
| convert ctime(time_max)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you like a custom format, yes, then your need to use eval and not convert.
PS if you can accept the answer it would be fine 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need your search above and it needs to contain the _time field. Can you post your full SPL search?
<your search>
| stats min(_time) as time_min max(_time) as time_max
| convert ctime(time_min)
| convert ctime(time_max)
This should work with all Splunk installation:
index=_internal
| stats min(_time) as time_min max(_time) as time_max
| convert ctime(time_min)
| convert ctime(time_max)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
| stats min(_time) as time_min max(_time) as time_max
| convert ctime(time_min)
| convert ctime(time_max)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tha.ks it works
And now if i want to format the time i need to do an eval _time?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
