Splunk Search

Renaming _time field causes an unwanted result

Path Finder

Good Morning all. I'm experiencing a strange behavior when I try to rename _time's field.

My goal is to run a search by tag -> piping it to a timechart count -> rename _time as foo.

When I run

tag="admin" startmonthsago="10" | timechart count | rename _time as foo

the result is a table where foo's column isn't into a familiar time format. How can I manage it? How can I keep the original time format (i.e. 11/1/09 12:00:00.000 AM) instead of getting a newer one (1257030000) after the renaming?

Thanks in advance for any support.

Nik

p.s. time format = 11/1/09 12:00:00.000 AM after renaming _time as smthelse --> time format = 1257030000

Tags (1)
2 Solutions

Splunk Employee
Splunk Employee

the _time field is automatically converted to a human-readable display because Splunk knows what it represents. Other wills are not automatically converted. However, you can just add:

... | convert ctime(foo)

to the end of your search query to make it happen. Consult the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Convert for more options and formatting.

View solution in original post

Super Champion

Sometimes renaming _time can have unwanted side effects. So it's worth noting that you can always make a copy of the _time field and then manipulate the copy (this many not work for your exact example, but sometimes this can be a better approach.)

So if you wanted to make a field called my_time and wanted it formatted as just YYYY-MM-DD, then you could do something like this:

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)

Also keep in mind that there are other ways to control chart formatting, especially in Splunk 4.1. But that seems like that may be a different question than what you are asking here.

(You didn't mention which version of Splunk you are running. The timeformat piece may be new in Splunk 4, I don't remember)

View solution in original post

New Member

If you rename the time column using rename or convert, then you will have the problem. If you update the label of the axis using the edit panel menu, it works fine

0 Karma

Super Champion

Sometimes renaming _time can have unwanted side effects. So it's worth noting that you can always make a copy of the _time field and then manipulate the copy (this many not work for your exact example, but sometimes this can be a better approach.)

So if you wanted to make a field called my_time and wanted it formatted as just YYYY-MM-DD, then you could do something like this:

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)

Also keep in mind that there are other ways to control chart formatting, especially in Splunk 4.1. But that seems like that may be a different question than what you are asking here.

(You didn't mention which version of Splunk you are running. The timeformat piece may be new in Splunk 4, I don't remember)

View solution in original post

Engager

A combination of rename and convert worked for me:

| rename _time as Day
| convert timeformat="%Y/%m/%d" ctime(Day)

Thanks!

0 Karma

Path Finder

Dear Lowell,
thanks for your support. I'm using Splunk 4.0.9.

0 Karma

Communicator

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)

This solution worked perfect for me. Thanks so much man!!

0 Karma

Splunk Employee
Splunk Employee

the _time field is automatically converted to a human-readable display because Splunk knows what it represents. Other wills are not automatically converted. However, you can just add:

... | convert ctime(foo)

to the end of your search query to make it happen. Consult the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Convert for more options and formatting.

View solution in original post

Path Finder

thanks gkanapathy.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!