Splunk Search

How do I extract the event time?

New Member

I tried this but didn't work. | return time=strftime(time,"%Y-%m-%d %H:%M:%S")

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@amccallon... fieldformat will adjust the field value for display while retaining the time as epoch. Are you trying to do something like this?

 | fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")
 | table _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@amccallon... fieldformat will adjust the field value for display while retaining the time as epoch. Are you trying to do something like this?

 | fieldformat _time=strftime(_time,"%Y-%m-%d %H:%M:%S")
 | table _time
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

New Member

Thank you that worked!

0 Karma

SplunkTrust
SplunkTrust

@amccallon please accept the answer, if it solved the issue for you.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

SplunkTrust
SplunkTrust

Are you trying to reformat the time at search time? If so then you will need to re-index your data with the correct TIME_FORMAT attribute in props.conf

0 Karma

New Member

Thanks Splunkers! I am trying to return a date to display. I get the epoch time when i use the return _time like above but it doesn't get reformatted to a readable date and time?

0 Karma

Influencer

what are you trying to do? _time is already available. you can just append | table _time to your search

0 Karma