Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract the event time?

amccallon
New Member
‎04-05-2017 12:39 PM

I tried this but didn't work. | return _time=strftime(_time,"%Y-%m-%d %H:%M:%S")

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-06-2017 07:28 AM

@amccallon... fieldformat will adjust the field value for display while retaining the time as epoch. Are you trying to do something like this?

 | fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")
 | table _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-06-2017 07:28 AM

@amccallon... fieldformat will adjust the field value for display while retaining the time as epoch. Are you trying to do something like this?

 | fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")
 | table _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

amccallon
New Member
‎04-06-2017 08:13 AM

Thank you that worked!

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎04-06-2017 08:50 AM

@amccallon please accept the answer, if it solved the issue for you.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎04-05-2017 06:47 PM

Are you trying to reformat the time at search time? If so then you will need to re-index your data with the correct TIME_FORMAT attribute in props.conf

0 Karma
Reply
Solved! Jump to solution

amccallon
New Member
‎04-06-2017 07:19 AM

Thanks Splunkers! I am trying to return a date to display. I get the epoch time when i use the return _time like above but it doesn't get reformatted to a readable date and time?

0 Karma
Reply
Solved! Jump to solution

pradeepkumarg
Influencer
‎04-05-2017 06:34 PM

what are you trying to do? _time is already available. you can just append | table _time to your search

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...