Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I extract the event time?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amccallon
New Member
04-05-2017
12:39 PM
I tried this but didn't work. | return _time=strftime(_time,"%Y-%m-%d %H:%M:%S")
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-06-2017
07:28 AM
@amccallon... fieldformat will adjust the field value for display while retaining the time as epoch. Are you trying to do something like this?
| fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")
| table _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-06-2017
07:28 AM
@amccallon... fieldformat will adjust the field value for display while retaining the time as epoch. Are you trying to do something like this?
| fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")
| table _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amccallon
New Member
04-06-2017
08:13 AM
Thank you that worked!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
niketn
Legend
04-06-2017
08:50 AM
@amccallon please accept the answer, if it solved the issue for you.
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
skoelpin
SplunkTrust
04-05-2017
06:47 PM
Are you trying to reformat the time at search time? If so then you will need to re-index your data with the correct TIME_FORMAT attribute in props.conf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
amccallon
New Member
04-06-2017
07:19 AM
Thanks Splunkers! I am trying to return a date to display. I get the epoch time when i use the return _time like above but it doesn't get reformatted to a readable date and time?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pradeepkumarg
Influencer
04-05-2017
06:34 PM
what are you trying to do? _time is already available. you can just append | table _time to your search
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
