Splunk Search
Highlighted

How do I convert the time in my table to a human readable date format?

Communicator

Hi everyone,

I want to make a table that gives me the quantity of purchases for each product for the last 3 days.

I start by making this search:

host="L81341" sourcetype="csv"  earliest=-2d@d | chart   count  by     Product , _time span=1d   | convert timeformat="%Y/%m/%d"  ctime(_time)

but the problem is the date is not being converted to a human readable format. I have something like this:

Product1 / 1439676000   /1439762400 /1439848800
Product2 / 50 / 50 / 35
Product3 / 0 / 1 / 85
Tags (3)
0 Karma
Highlighted

Re: How do I convert the time in my table to a human readable date format?

Communicator

I want something like that:
ProductID / 2015-08-15/2015-08-16/2015-08-17
Product1 / 50 / 50 / 35
Product2 / 0 / 1 / 85

0 Karma
Highlighted

Re: How do I convert the time in my table to a human readable date format?

Influencer

How about:

host="L81341" sourcetype="csv" earliest=-2d@d | bin span=1d _time | convert timeformat="%F" ctime(_time) | chart count by Product,_time

In this way, we bin by day and make the conversion of the time value upfront, (since the _time field would no longer exist after the chart in your search, instead you have fields for each numeric time), Then we perform the chart with the converted _time field.

Edit: Updated the timeformat as it looks like in your example that you're looking for an ISO 8601 formatted date.

View solution in original post

Highlighted

Re: How do I convert the time in my table to a human readable date format?

Communicator

Thank you acharlieh,
you are amazing