Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How can I display _time in my results using stats command?

EvansB
Path Finder
‎02-17-2022 04:56 PM

How can I display _time in my results using stats command
I get this field when I use "table _time"

EvansB_1-1645128730320.png
Just like the image above, I want to get the time field using stats and/or eval command
The image below is how my time events look like. 

EvansB_0-1645124157881.png

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

tshah-splunk
Splunk Employee
Splunk Employee
‎02-17-2022 09:39 PM

Hey @EvansB,

You can simply use the below query to get the time field displayed in the stats table

| stats values(time) as time by _time 

Here, I  have kept _time and time as two different fields as the image displays time as a separate field. If both time and _time are the same fields, then it should not be a problem using either. But if they are different fields, and you want to use _time, then you can replace _time with time in the values function.

---
If you find the answer helpful, an upvote/karma is appreciated
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-17-2022 10:59 PM

Hi @EvansB,

let me understand: do you want to use _time for grouping events or as a field to display?

in the first case you could use the hint of @tshah-splunk , but is useful to add a bin command before the stats to group results, otherwise you'll have too many results:

| bin _time span=1d
| stats values(*) as * by _time

if instead you need to display _time as a field, you can put it in the stats options, using some function:

  • values(to have all the distinct values of _time,
  • earliest to have the first value,
  • latest to have the latest value.

In both situations, you have also, at the end, to convert _time from epochtime to human readable format using strftime.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...