Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help to convert a unix time
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
07-28-2023
01:26 AM
Hi
I use a | stats min(_time) as time_min stats max(_time) as time_max command in my search
The time is displayed in Unix format
Example :
Time_min=1688019886.761
Time-max=1690461727.136
I have added an eval time=strftime(_time, "%d-%m-%Y %H:%M" before the stats in order to convert the time but the result is sometimes strange because the max time is older than the min time
How to convert the time properly please?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jotne
Builder
07-28-2023
02:04 AM
You need your search above and it needs to contain the _time field. Can you post your full SPL search?
<your search>
| stats min(_time) as time_min max(_time) as time_max
| convert ctime(time_min)
| convert ctime(time_max)
This should work with all Splunk installation:
index=_internal
| stats min(_time) as time_min max(_time) as time_max
| convert ctime(time_min)
| convert ctime(time_max)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jotne
Builder
07-28-2023
02:11 AM
If you like a custom format, yes, then your need to use eval and not convert.
PS if you can accept the answer it would be fine 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jotne
Builder
07-28-2023
02:04 AM
You need your search above and it needs to contain the _time field. Can you post your full SPL search?
<your search>
| stats min(_time) as time_min max(_time) as time_max
| convert ctime(time_min)
| convert ctime(time_max)
This should work with all Splunk installation:
index=_internal
| stats min(_time) as time_min max(_time) as time_max
| convert ctime(time_min)
| convert ctime(time_max)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jotne
Builder
07-28-2023
01:33 AM
Try this:
| stats min(_time) as time_min max(_time) as time_max
| convert ctime(time_min)
| convert ctime(time_max)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jip31
Motivator
07-28-2023
02:08 AM
Tha.ks it works
And now if i want to format the time i need to do an eval _time?
Get Updates on the Splunk Community!
AppDynamics Summer Webinars
This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...
SOCin’ it to you at Splunk University
Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...
Credit Card Data Protection & PCI Compliance with Splunk Edge Processor
Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...
