Good Morning all. I'm experiencing a strange behavior when I try to rename _time's field.
My goal is to run a search by tag -> piping it to a timechart count -> rename _time as foo.
When I run
tag="admin" startmonthsago="10" | timechart count | rename _time as foo
the result is a table where foo's column isn't into a familiar time format. How can I manage it? How can I keep the original time format (i.e. 11/1/09 12:00:00.000 AM) instead of getting a newer one (1257030000) after the renaming?
Thanks in advance for any support.
Nik
p.s. time format = 11/1/09 12:00:00.000 AM after renaming _time as smthelse --> time format = 1257030000
the _time
field is automatically converted to a human-readable display because Splunk knows what it represents. Other wills are not automatically converted. However, you can just add:
... | convert ctime(foo)
to the end of your search query to make it happen. Consult the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Convert for more options and formatting.
Sometimes renaming _time
can have unwanted side effects. So it's worth noting that you can always make a copy of the _time
field and then manipulate the copy (this many not work for your exact example, but sometimes this can be a better approach.)
So if you wanted to make a field called my_time
and wanted it formatted as just YYYY-MM-DD
, then you could do something like this:
| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)
Also keep in mind that there are other ways to control chart formatting, especially in Splunk 4.1. But that seems like that may be a different question than what you are asking here.
(You didn't mention which version of Splunk you are running. The timeformat
piece may be new in Splunk 4, I don't remember)
If you rename the time column using rename or convert, then you will have the problem. If you update the label of the axis using the edit panel menu, it works fine
Sometimes renaming _time
can have unwanted side effects. So it's worth noting that you can always make a copy of the _time
field and then manipulate the copy (this many not work for your exact example, but sometimes this can be a better approach.)
So if you wanted to make a field called my_time
and wanted it formatted as just YYYY-MM-DD
, then you could do something like this:
| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)
Also keep in mind that there are other ways to control chart formatting, especially in Splunk 4.1. But that seems like that may be a different question than what you are asking here.
(You didn't mention which version of Splunk you are running. The timeformat
piece may be new in Splunk 4, I don't remember)
A combination of rename and convert worked for me:
| rename _time as Day
| convert timeformat="%Y/%m/%d" ctime(Day)
Thanks!
Dear Lowell,
thanks for your support. I'm using Splunk 4.0.9.
| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)
This solution worked perfect for me. Thanks so much man!!
the _time
field is automatically converted to a human-readable display because Splunk knows what it represents. Other wills are not automatically converted. However, you can just add:
... | convert ctime(foo)
to the end of your search query to make it happen. Consult the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Convert for more options and formatting.
thanks gkanapathy.