Splunk Search

Renaming _time field causes an unwanted result

nik_splunk
Path Finder

Good Morning all. I'm experiencing a strange behavior when I try to rename _time's field.

My goal is to run a search by tag -> piping it to a timechart count -> rename _time as foo.

When I run

tag="admin" startmonthsago="10" | timechart count | rename _time as foo

the result is a table where foo's column isn't into a familiar time format. How can I manage it? How can I keep the original time format (i.e. 11/1/09 12:00:00.000 AM) instead of getting a newer one (1257030000) after the renaming?

Thanks in advance for any support.

Nik

p.s. time format = 11/1/09 12:00:00.000 AM after renaming _time as smthelse --> time format = 1257030000

Tags (1)
2 Solutions

gkanapathy
Splunk Employee
Splunk Employee

the _time field is automatically converted to a human-readable display because Splunk knows what it represents. Other wills are not automatically converted. However, you can just add:

... | convert ctime(foo)

to the end of your search query to make it happen. Consult the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Convert for more options and formatting.

View solution in original post

Lowell
Super Champion

Sometimes renaming _time can have unwanted side effects. So it's worth noting that you can always make a copy of the _time field and then manipulate the copy (this many not work for your exact example, but sometimes this can be a better approach.)

So if you wanted to make a field called my_time and wanted it formatted as just YYYY-MM-DD, then you could do something like this:

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)

Also keep in mind that there are other ways to control chart formatting, especially in Splunk 4.1. But that seems like that may be a different question than what you are asking here.

(You didn't mention which version of Splunk you are running. The timeformat piece may be new in Splunk 4, I don't remember)

View solution in original post

monalisadas
New Member

If you rename the time column using rename or convert, then you will have the problem. If you update the label of the axis using the edit panel menu, it works fine

0 Karma

Lowell
Super Champion

Sometimes renaming _time can have unwanted side effects. So it's worth noting that you can always make a copy of the _time field and then manipulate the copy (this many not work for your exact example, but sometimes this can be a better approach.)

So if you wanted to make a field called my_time and wanted it formatted as just YYYY-MM-DD, then you could do something like this:

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)

Also keep in mind that there are other ways to control chart formatting, especially in Splunk 4.1. But that seems like that may be a different question than what you are asking here.

(You didn't mention which version of Splunk you are running. The timeformat piece may be new in Splunk 4, I don't remember)

si_rbrisita
Engager

A combination of rename and convert worked for me:

| rename _time as Day
| convert timeformat="%Y/%m/%d" ctime(Day)

Thanks!

0 Karma

nik_splunk
Path Finder

Dear Lowell,
thanks for your support. I'm using Splunk 4.0.9.

0 Karma

vsingla1
Communicator

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)

This solution worked perfect for me. Thanks so much man!!

0 Karma

gkanapathy
Splunk Employee
Splunk Employee

the _time field is automatically converted to a human-readable display because Splunk knows what it represents. Other wills are not automatically converted. However, you can just add:

... | convert ctime(foo)

to the end of your search query to make it happen. Consult the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Convert for more options and formatting.

nik_splunk
Path Finder

thanks gkanapathy.

0 Karma
Get Updates on the Splunk Community!

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...