Solved: Re: How to change format for _time field values to...

pbernardin · ‎09-04-2014

Hi, I am trying to create a timechart report and I want to manipulate the output of the _time field so instead of reading 8/28/14 12:00:00.000 AM that, for example, I can see 8/28/14 or Thursday. Anyone know how to do this? I am not referencing the _time field so removing/modifying it seems tough. This is the last piece of the 7 day search:

index="pan_logs" | timechart span=1d dc(src_user) as "Source" BY firewall

Thanks,
Paul

lguinn2 · ‎09-04-2014

timechart implicitly references the _time field, always. BUT you can't do this

index="pan_logs" 
| timechart span=1d dc(src_user) as "Source" BY firewall
| eval _time = strftime(_time,"%A")

Sorry, I thought that would work. But you can't assign a new value to the built-in _time field. Solution? Make your own time field! Here is how:

index="pan_logs"  
| bucket _time span=1d 
| stats dc(src_user) as "Source" BY firewall
| eval newTime = strftime(_time,"%x") 
| xyseries newTime firewall Source

How this works: first it groups the _time variable by day, which you did with timechart before. Then it computes your Source statistic, but using the stats command. The eval creates the new timestamp. (Use whatever time format you like. Common Time Format Variables has more info about your options.) The last step reformats the results of the stats command so it will show up in a chart the way you want.

View solution in original post

Heff · ‎09-04-2014

try this:
eval n=strptime(_time," %Y-%m-%d")

lguinn2 · ‎09-04-2014

Good suggestion.

lguinn2 · ‎09-04-2014

timechart implicitly references the _time field, always. BUT you can't do this

index="pan_logs" 
| timechart span=1d dc(src_user) as "Source" BY firewall
| eval _time = strftime(_time,"%A")

Sorry, I thought that would work. But you can't assign a new value to the built-in _time field. Solution? Make your own time field! Here is how:

index="pan_logs"  
| bucket _time span=1d 
| stats dc(src_user) as "Source" BY firewall
| eval newTime = strftime(_time,"%x") 
| xyseries newTime firewall Source

How this works: first it groups the _time variable by day, which you did with timechart before. Then it computes your Source statistic, but using the stats command. The eval creates the new timestamp. (Use whatever time format you like. Common Time Format Variables has more info about your options.) The last step reformats the results of the stats command so it will show up in a chart the way you want.

lguinn2 · ‎09-04-2014

Sorry, I forgot about that. I updated my answer above, so that hopefully it will work now. (I even tested it.)

pbernardin · ‎09-04-2014

actually i spoke too soon. When I tried this, my time formats were not changed, even after trying multiple variables / formats like %A , %a , etc... Maybe I need the eval in a different place? Any other ideas?

pbernardin · ‎09-04-2014

awesome. Thank you so much

How to change format for _time field values to display in timechart report?

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation