Solved: Re: Is there a way to format the _time field?

echojacques · ‎10-14-2013

Is there a way to format the "_time" field? I currently use _time in many of my dashboards and searches; however, it is formatted differently depending on the sourcetype.

My attempt to standardize the output of _time below doesn't work:

sourcetype="mysource" | table _time("%m/%d/%y %I:%M:%S %p") field1 field2 field3

Does anyone know how to do this?

Thanks!

echojacques · ‎10-14-2013

I solved my own question, this worked:

sourcetype="mysource" | eval time=strftime(_time, "%m/%d/%y %I:%M:%S:%p") | table time field1 field2 field3

Although I still think you should be able to format _time directly without the use of an eval 🙂

View solution in original post

manus · ‎09-10-2014

I believe the implicit answer to the question is "No".

If you want to display _time the way you want, you have to do it in another field.

echojacques · ‎10-14-2013

I solved my own question, this worked:

sourcetype="mysource" | eval time=strftime(_time, "%m/%d/%y %I:%M:%S:%p") | table time field1 field2 field3

Although I still think you should be able to format _time directly without the use of an eval 🙂

dwaddle · ‎10-14-2013

It's been my experience that | table _time ... will format _time into a sane value anyway. At least directly in the search app. It may act different in a dashboard. But, if you want a specific time format your strftime is a great approach.

Is there a way to format the _time field?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...