I am tracking Splunk startup and stop through graph.
index=_audit action=splunkShuttingDown OR action=splunkStarting | timechart span=1s count by action
the time displayed in graph is bit long.
Currently displayed : 2017-02-22T00:00:08.000+01:00
I want it to truncate the part after minutes/seconds. some thing like this.
2017-02-22 00:00 or
Solved by eval function
eval _time=strftime(_time, "%y-%m-%d %I:%M:%S")
View solution in original post