Splunk Search

How to modify my search to truncate time displayed on chart?

Builder

Hi,

I am tracking Splunk startup and stop through graph.

My search:

index=_audit action=splunkShuttingDown OR action=splunkStarting | timechart span=1s count by action

the time displayed in graph is bit long.
Currently displayed : 2017-02-22T00:00:08.000+01:00

I want it to truncate the part after minutes/seconds. some thing like this.
2017-02-22 00:00 or
2017-02-22 00:00:08

Thanks
Ankit

0 Karma
1 Solution

Builder

Solved by eval function

eval _time=strftime(_time, "%y-%m-%d %I:%M:%S")

View solution in original post

Builder

Solved by eval function

eval _time=strftime(_time, "%y-%m-%d %I:%M:%S")

View solution in original post

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!