Solved: Re: Unable to extract Time in search results

ramprakash · ‎03-24-2020

Hi All,

I have proper timestamp logs in Splunk. I am able to extract time for all the searches except one.

index =mtp | stats count by Activity user

when i need count for these two fields, i am getting the result but not Time.

Can someone please suggest.

richgalloway · ‎03-24-2020

The stats command discards all fields except those used in the command itself. In your example, only 'count', 'Activity', and 'user' will be available for use after stats. Depending on how you intend to use Time, try one of stats count, values(_time) as Time by Activity, user or stats count, latest(_time) as Time by Activity, user.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎03-24-2020

The stats command discards all fields except those used in the command itself. In your example, only 'count', 'Activity', and 'user' will be available for use after stats. Depending on how you intend to use Time, try one of stats count, values(_time) as Time by Activity, user or stats count, latest(_time) as Time by Activity, user.

---
If this reply helps you, Karma would be appreciated.

ramprakash · ‎03-24-2020

Hey Thanks it worked but i am getting time in below format.

Activity
user
count
Time
accueil AD161 2 1585034778.911
accueil DRA4D 4 1584974193.304

ramprakash · ‎03-24-2020

I am able to do so with below command

eval time=strftime(Time,"%m/%d/%y")

Unable to extract Time in search results

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Join the Conversation

Unable to extract Time in search results

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025