Splunk Search

How to replace label "_time" with "time" coming in timecharts ?

ranjyotiprakash
Communicator

I have used timecharts in splunk app. But, in all the time-charts, When mouseover the time-chart, the info it is showing in the black box comes with "_time" label for time. I want to know how to replace the _time with time label. alt text

enter code here
<view template="dashboard.html" stylesheet="dashboard.css">




*
False
1


dashboard


True
uname_setting
Unit Name :
test search


unit_name
unit_name



uname_setting

stringreplace


$target$



Last 60 minutes
True

sourcetype="access" |TR_unitname|where unit_name = "$unit_name$"| eval bandwidth=round(bytes_sent/1024,2)| timechart sum(bandwidth) | rename sum(bandwidth) AS "Bandwidth Consumed (in KB)"


Traffic Over Time
line
zero
Time
Bandwidth(in KB)
bottom

100%
360px


flashtimeline
true




    <module name="HiddenSearch" layoutPanel="panel_row2_col2" autoRun="True">
            <param name="search">sourcetype="firewall" Attack_Description!="NULL" |`WF_unitname`| where unit_name = "$unit_name$" | timechart count by Attack_Description</param>
            <module name="JobProgressIndicator"/>
            <module name="HiddenChartFormatter">
                    <param name="chartTitle">Attacks Over Time</param>
                    <param name="chart">column</param>
                    <param name="chart.stackMode">stacked</param>
                    <param name="primaryAxisTitle.text">Time</param>
                    <param name="secondaryAxisTitle.text">Count of Attacks</param>
                    <param name="legend.placement">bottom</param>
                    <module name="FlashChart">
                            <param name="width">100%</param>
                            <param name="height">360px</param>
                            <module name="ConvertToDrilldownSearch">
                                    <module name="ViewRedirector">
                                            <param name="viewTarget">flashtimeline</param>
                                            <param name="popup">true</param>
                                    </module>
                            </module>
                    </module>
            </module>
    </module>




I don't know how this _time is coming. I want to replace this _time with time.

Thanks !

1 Solution

Drainy
Champion

Just add a |rename _time as time to the end of your search string

View solution in original post

Drainy
Champion

Just add a |rename _time as time to the end of your search string

View solution in original post

ranjyotiprakash
Communicator

hi smolcj,
the search you mentioned in the comment doesn't work at all.

Thanks for reply

0 Karma

ranjyotiprakash
Communicator

It's doing the change but changes the time and date format. But, I want to know why by default it is coming as _time on all the charts. But, when I create a report from the splunkweb UI it's coming as time ?
Thanks !

0 Karma

smolcj
Builder

|convert ctime(_time) as time

0 Karma

Drainy
Champion

add another | convert ctime(time) to the end 🙂

0 Karma

ranjyotiprakash
Communicator

Hi Drainy,

Piping "rename _time As time" changes the time format and then it's coming as unix Time
like 1355423400 in the chart.

Thanks

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!