Solved: Re: Help to convert a unix time

jip31 · ‎07-28-2023

Hi

I use a | stats min(_time) as time_min stats max(_time) as time_max command in my search

The time is displayed in Unix format

Example :

Time_min=1688019886.761

Time-max=1690461727.136

I have added an eval time=strftime(_time, "%d-%m-%Y %H:%M" before the stats in order to convert the time but the result is sometimes strange because the max time is older than the min time

How to convert the time properly please?

jotne · ‎07-28-2023

You need your search above and it needs to contain the _time field. Can you post your full SPL search?

<your search>
| stats min(_time) as time_min max(_time) as time_max 
| convert ctime(time_min)
| convert ctime(time_max)

This should work with all Splunk installation:

index=_internal
| stats min(_time) as time_min max(_time) as time_max 
| convert ctime(time_min)
| convert ctime(time_max)

View solution in original post

jotne · ‎07-28-2023

If you like a custom format, yes, then your need to use eval and not convert.

PS if you can accept the answer it would be fine 🙂

jotne · ‎07-28-2023

You need your search above and it needs to contain the _time field. Can you post your full SPL search?

<your search>
| stats min(_time) as time_min max(_time) as time_max 
| convert ctime(time_min)
| convert ctime(time_max)

This should work with all Splunk installation:

index=_internal
| stats min(_time) as time_min max(_time) as time_max 
| convert ctime(time_min)
| convert ctime(time_max)

jotne · ‎07-28-2023

Try this:

| stats min(_time) as time_min max(_time) as time_max 
| convert ctime(time_min)
| convert ctime(time_max)

jip31 · ‎07-28-2023

Tha.ks it works

And now if i want to format the time i need to do an eval _time?

Help to convert a unix time

other

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...