Splunk Search
Highlighted

How to modify my search to truncate time displayed on chart?

Builder

Hi,

I am tracking Splunk startup and stop through graph.

My search:

index=_audit action=splunkShuttingDown OR action=splunkStarting | timechart span=1s count by action

the time displayed in graph is bit long.
Currently displayed : 2017-02-22T00:00:08.000+01:00

I want it to truncate the part after minutes/seconds. some thing like this.
2017-02-22 00:00 or
2017-02-22 00:00:08

Thanks
Ankit

0 Karma
Highlighted

Re: How to modify my search to truncate time displayed on chart?

Builder

Solved by eval function

eval time=strftime(time, "%y-%m-%d %I:%M:%S")

View solution in original post