Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to rename _time as Time

wuming79
Path Finder
‎06-12-2017 09:15 AM

Hi,

I'm trying to rename _time as Time so that it will display the timestamp in YYYY-MM-DD HH:MM:SS. But when I do rename _time AS "Time" | table Time, it will show the time as Epoch time which was the original format extracted from the log file. How do I rename and table it correctly?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BlueSocket
Contributor
‎06-12-2017 09:22 AM

I suggest that you don't do a rename of _time, try using an eval to add "Time" and then remove the _time with fields -, such as;

| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time | table Time

That works for me.

View solution in original post

Reply
Solved! Jump to solution

wuming79
Path Finder
‎06-18-2017 10:21 PM

Hi Guys,

I just realized after using the suggested formats, my earliest to latest timestamp is from right to left instead of the normal left to right. How can I reversed this to go from left to right?

How do I also make the timestamp display on the x-axis? There is only label rotation in x-axis format.alt text

Preview file
60 KB
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-12-2017 09:41 AM

The _time field is very special in a number of ways and one of them is that it automatically does this under the sheets:

| fieldformat _time = strftime(_time, <YourLocalRegionTimeFormatStringHere>)

You can do the same like this:

| rename _time AS Time
| fieldformat Time = strftime(Time, "%m/%d/%Y %H:%M:%S")
Reply
Solved! Jump to solution

rjgreg
Explorer
‎10-01-2021 11:50 AM

@woodcock    I have been dragging though a ton of these threads trying to find a simple way to fix how my field _time output information.  I just wanted the date, so I took off the time aspect of your command and BOOM. Thank you.

| rename _time AS Date
| fieldformat Date = strftime(Date, "%Y-%m-%d")

Output:

Date

2021-10-01

Tags (1)
0 Karma
Reply
Solved! Jump to solution

wuming79
Path Finder
‎06-12-2017 09:37 AM

Thanks Guys!

0 Karma
Reply
Solved! Jump to solution
Solution

BlueSocket
Contributor
‎06-12-2017 09:22 AM

I suggest that you don't do a rename of _time, try using an eval to add "Time" and then remove the _time with fields -, such as;

| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time | table Time

That works for me.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-12-2017 09:42 AM

Please see my other answer below; the way to make it exactly the same is with fieldformat, not with eval.

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎06-12-2017 09:22 AM

Hi wuming79,

you can't rename the _time field without getting the value all f*cked up.

Instead do something like this:

yoursearch | eval TIME=strftime(_time, "%d-%m-%Y %H:%M:%S") | table TIME | rename TIME AS whateveryouwantittobe
0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎06-12-2017 09:18 AM

try to do an |eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")|table time...

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...