Solved: How to replace label "_time" with "time" coming in...

ranjyotiprakash · ‎12-21-2012

I have used timecharts in splunk app. But, in all the time-charts, When mouseover the time-chart, the info it is showing in the black box comes with "_time" label for time. I want to know how to replace the _time with time label.

enter code here
<view template="dashboard.html" stylesheet="dashboard.css">

Overall Summary

    <module name="HiddenSearch" layoutPanel="panel_row2_col2" autoRun="True">
            <param name="search">sourcetype="firewall" Attack_Description!="NULL" |`WF_unitname`| where unit_name = "$unit_name$" | timechart count by Attack_Description</param>
            <module name="JobProgressIndicator"/>
            <module name="HiddenChartFormatter">
                    <param name="chartTitle">Attacks Over Time</param>
                    <param name="chart">column</param>
                    <param name="chart.stackMode">stacked</param>
                    <param name="primaryAxisTitle.text">Time</param>
                    <param name="secondaryAxisTitle.text">Count of Attacks</param>
                    <param name="legend.placement">bottom</param>
                    <module name="FlashChart">
                            <param name="width">100%</param>
                            <param name="height">360px</param>
                            <module name="ConvertToDrilldownSearch">
                                    <module name="ViewRedirector">
                                            <param name="viewTarget">flashtimeline</param>
                                            <param name="popup">true</param>
                                    </module>
                            </module>
                    </module>
            </module>
    </module>

I don't know how this _time is coming. I want to replace this _time with time.

Thanks !

Drainy · ‎12-21-2012

Just add a |rename _time as time to the end of your search string

View solution in original post

Drainy · ‎12-21-2012

Just add a |rename _time as time to the end of your search string

ranjyotiprakash · ‎12-21-2012

hi smolcj,
the search you mentioned in the comment doesn't work at all.

Thanks for reply

ranjyotiprakash · ‎12-21-2012

It's doing the change but changes the time and date format. But, I want to know why by default it is coming as _time on all the charts. But, when I create a report from the splunkweb UI it's coming as time ?
Thanks !

smolcj · ‎12-21-2012

|convert ctime(_time) as time

Drainy · ‎12-21-2012

add another | convert ctime(time) to the end 🙂

ranjyotiprakash · ‎12-21-2012

Hi Drainy,

Piping "rename _time As time" changes the time format and then it's coming as unix Time
like 1355423400 in the chart.

Thanks

How to replace label "_time" with "time" coming in timecharts ?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?