Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to change format for _time field values to display in timechart report?

pbernardin
Explorer
‎09-04-2014 11:58 AM

Hi, I am trying to create a timechart report and I want to manipulate the output of the _time field so instead of reading 8/28/14 12:00:00.000 AM that, for example, I can see 8/28/14 or Thursday. Anyone know how to do this? I am not referencing the _time field so removing/modifying it seems tough. This is the last piece of the 7 day search:

index="pan_logs" | timechart span=1d dc(src_user) as "Source" BY firewall

Thanks,
Paul

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-04-2014 12:50 PM

timechart implicitly references the _time field, always. BUT you can't do this

index="pan_logs" 
| timechart span=1d dc(src_user) as "Source" BY firewall
| eval _time = strftime(_time,"%A")

Sorry, I thought that would work. But you can't assign a new value to the built-in _time field. Solution? Make your own time field! Here is how:

index="pan_logs"  
| bucket _time span=1d 
| stats dc(src_user) as "Source" BY firewall
| eval newTime = strftime(_time,"%x") 
| xyseries newTime firewall Source

How this works: first it groups the _time variable by day, which you did with timechart before. Then it computes your Source statistic, but using the stats command. The eval creates the new timestamp. (Use whatever time format you like. Common Time Format Variables has more info about your options.) The last step reformats the results of the stats command so it will show up in a chart the way you want.

View solution in original post

Reply
Solved! Jump to solution

Heff
Splunk Employee
Splunk Employee
‎09-04-2014 04:47 PM

try this:
eval n=strptime(_time," %Y-%m-%d")

Reply
Solved! Jump to solution

lguinn2
Legend
‎09-04-2014 05:37 PM

Good suggestion.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎09-04-2014 12:50 PM

timechart implicitly references the _time field, always. BUT you can't do this

index="pan_logs" 
| timechart span=1d dc(src_user) as "Source" BY firewall
| eval _time = strftime(_time,"%A")

Sorry, I thought that would work. But you can't assign a new value to the built-in _time field. Solution? Make your own time field! Here is how:

index="pan_logs"  
| bucket _time span=1d 
| stats dc(src_user) as "Source" BY firewall
| eval newTime = strftime(_time,"%x") 
| xyseries newTime firewall Source

How this works: first it groups the _time variable by day, which you did with timechart before. Then it computes your Source statistic, but using the stats command. The eval creates the new timestamp. (Use whatever time format you like. Common Time Format Variables has more info about your options.) The last step reformats the results of the stats command so it will show up in a chart the way you want.

Reply
Solved! Jump to solution

lguinn2
Legend
‎09-04-2014 05:36 PM

Sorry, I forgot about that. I updated my answer above, so that hopefully it will work now. (I even tested it.)

0 Karma
Reply
Solved! Jump to solution

pbernardin
Explorer
‎09-04-2014 01:59 PM

actually i spoke too soon. When I tried this, my time formats were not changed, even after trying multiple variables / formats like %A , %a , etc... Maybe I need the eval in a different place? Any other ideas?

0 Karma
Reply
Solved! Jump to solution

pbernardin
Explorer
‎09-04-2014 01:31 PM

awesome. Thank you so much

0 Karma
Reply
Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...
Top