Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How do I prevent milliseconds from displaying in the _time field in search results?

Alexwii
New Member
‎02-03-2016 06:19 AM

Hello everyone !

I would like my search results to not display milliseconds in the _time field in the Search app, because it's useless for me. Example, I have 15:14:33:000 and I want 15:14:33.

Thank you so much for your answer.

alt text

Preview file
4 KB
0 Karma
Reply

renjith_nair
Legend
‎02-03-2016 07:19 AM

You can set the time to your favourite format

your search |eval _time=strftime(_time,"%d/%m/%Y %H:%M:%S")

You can set it permanent in props.conf if you don't care about millisecond precision in your searches
http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Configuretimestamprecognition

[<spec>]
TIME_FORMAT = %d/%m/%Y %H:%M:%S
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

Alexwii
New Member
‎02-03-2016 07:27 AM

Thank you for your answer, but when I write your command, I have :

NaN/NaN/0NaN 
NaN:NaN:NaN.000

After personalize, it's same problem...

0 Karma
Reply

renjith_nair
Legend
‎02-03-2016 08:19 PM

Try your search|eval Time=strftime(_time,"%d/%m/%Y %H:%M:%S") |table Time , "other fields"

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

Alexwii
New Member
‎02-04-2016 02:02 AM

Thanks you so much ! It's work !

But when I write in /opt/splunk/etc/apps/search/local/props.conf

[]

TIME_FORMAT = %d/%m/%Y %H:%M:%S

It's not work... I restart Splunk, wait +12h and it's not ok...

0 Karma
Reply

renjith_nair
Legend
‎02-04-2016 02:12 AM

Sorry you can ignore this part and remove this settings. This is for extracting the timestamp from your event(initially i thought so). Since your timestamp extraction is fine you don't need this.

Please see here :http://docs.splunk.com/Documentation/Splunk/6.3.2/Data/Configuretimestamprecognition#Reconfigure_how...

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...