Using Web datamodel _time doesnt show seconds.. th...

dwibedi03 · ‎03-31-2020

I am trying to use tstats to develop a query, however i need _time to be included in the query for the logic to work. but _time doesnt show seconds and it is limiting to minutes only. the Web datamodel that i am using is accelerated. 2020-03-31 08:45:00, this is the timeformat for _time when using tstats.

richgalloway · ‎03-31-2020

This question is confusing. _time is in epoch form, which is a count of seconds. The timestamp format cited specifies seconds (08:45:00). So there is no obvious reason why seconds are not available.
Please share your query.

---
If this reply helps you, Karma would be appreciated.

dwibedi03 · ‎03-31-2020

| tstats values(Web.user_bunit) as user_bunit values(Web.src_bunit) as src_bunit values(Web.src) as src_ip values(Web.http_referrer) as http_referrer values(Web.url) as URL values(Web.category) as category values(Web.url_extension) as url_extension1 from datamodel=Web where Web.http_method=GET AND (Web.url_extension="php" OR Web.url_extension="html" OR Web.url_extension="js") by _time Web.user

here, _time truncates the seconds in the query. I tried using strftime to show seconds it didnt work.

Using Web datamodel _time doesnt show seconds.. the _time is in format of 2020-03-31 08:45:00

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation