I'm having a hard time displaying the event index time in a table. What is the field name for index time?
Field names starting with an underscore usually will not show up in a results table. The easiest thing to do is use the eval
command to make a new field that is viewable. Note it will be in epoch time (that is seconds-since 1/1/1970 00:00:00 UTC)
In addition to the technique shown by Jag above, you could try adding this to your search:
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
which should make a new field called indextime
with a ISO-formatted value.
Oh Ok, thanks for the clarification. Now thanks to the input I know how to display index time and the event time. Thanks again.
that is not the index time. that is the event time.
So I was able to display the time in a table by simply adding the filed " _time ". Works great and no eval or convert required!
Field names starting with an underscore usually will not show up in a results table. The easiest thing to do is use the eval
command to make a new field that is viewable. Note it will be in epoch time (that is seconds-since 1/1/1970 00:00:00 UTC)
In addition to the technique shown by Jag above, you could try adding this to your search:
| eval indextime=strftime(_indextime,"%Y-%m-%d %H:%M:%S")
which should make a new field called indextime
with a ISO-formatted value.
Something like '* | convert ctime(_indextime) as it | table host it'.
Thank you.
The field name is _indextime
, as shown. he is formatting it for you using the convert
command http://docs.splunk.com/Documentation/Splunk/6.0/SearchReference/Convert since it is an epoch time and you might want it displayed differently. There is of course more than one way to reformat the timestamp.
Isn't there just a field name to display the event or index time? I tried the above and it didn't work.