Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Unable to rename _time as Time

wuming79
Path Finder
‎06-12-2017 09:15 AM

Hi,

I'm trying to rename _time as Time so that it will display the timestamp in YYYY-MM-DD HH:MM:SS. But when I do rename _time AS "Time" | table Time, it will show the time as Epoch time which was the original format extracted from the log file. How do I rename and table it correctly?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

BlueSocket
Communicator
‎06-12-2017 09:22 AM

I suggest that you don't do a rename of _time, try using an eval to add "Time" and then remove the _time with fields -, such as;

| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time | table Time

That works for me.

View solution in original post

Reply
Solved! Jump to solution

wuming79
Path Finder
‎06-18-2017 10:21 PM

Hi Guys,

I just realized after using the suggested formats, my earliest to latest timestamp is from right to left instead of the normal left to right. How can I reversed this to go from left to right?

How do I also make the timestamp display on the x-axis? There is only label rotation in x-axis format.alt text

Preview file
1 KB
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-12-2017 09:41 AM

The _time field is very special in a number of ways and one of them is that it automatically does this under the sheets:

| fieldformat _time = strftime(_time, <YourLocalRegionTimeFormatStringHere>)

You can do the same like this:

| rename _time AS Time
| fieldformat Time = strftime(Time, "%m/%d/%Y %H:%M:%S")
Reply
Solved! Jump to solution

rjgreg
Explorer
‎10-01-2021 11:50 AM

@woodcock    I have been dragging though a ton of these threads trying to find a simple way to fix how my field _time output information.  I just wanted the date, so I took off the time aspect of your command and BOOM. Thank you.

| rename _time AS Date
| fieldformat Date = strftime(Date, "%Y-%m-%d")

Output:

Date

2021-10-01

Tags (1)
0 Karma
Reply
Solved! Jump to solution

wuming79
Path Finder
‎06-12-2017 09:37 AM

Thanks Guys!

0 Karma
Reply
Solved! Jump to solution
Solution

BlueSocket
Communicator
‎06-12-2017 09:22 AM

I suggest that you don't do a rename of _time, try using an eval to add "Time" and then remove the _time with fields -, such as;

| eval Time = strftime(_time, "%Y-%d-%m %H:%M:%S") | fields - _time | table Time

That works for me.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-12-2017 09:42 AM

Please see my other answer below; the way to make it exactly the same is with fieldformat, not with eval.

0 Karma
Reply
Solved! Jump to solution

horsefez
Motivator
‎06-12-2017 09:22 AM

Hi wuming79,

you can't rename the _time field without getting the value all f*cked up.

Instead do something like this:

yoursearch | eval TIME=strftime(_time, "%d-%m-%Y %H:%M:%S") | table TIME | rename TIME AS whateveryouwantittobe
0 Karma
Reply
Solved! Jump to solution

cmerriman
Super Champion
‎06-12-2017 09:18 AM

try to do an |eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")|table time...

0 Karma
Reply
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...