- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Wierd results with rename
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wierd results with rename
This is really strange. It appears that I can either rename _time or format _time but not both. Here are the searches and partial results. Why does this happen?
sourcetype="solaris3-web-access" /XXYYZZ/ status="200" | timechart count(status) as Logins | convert timeformat="%H:%M:%S" ctime(Hours) as timestr
Results:
_time ....................................Logins
6/23/11 12:00:00.000 AM..........82
6/23/11 12:30:00.000 AM..........91
6/23/11 1:00:00.000 AM...........3
6/23/11 1:30:00.000 AM...........84
6/23/11 2:00:00.000 AM...........23
Now include the rename
sourcetype="solaris3-web-access" /uhpo/ status="200" | convert timeformat="%H:%M:%S" ctime(_time) as timestr | timechart count(status) as Logins | rename _time as Hours
And get this result:
Hours.....................Logins
1 1308805200..........82
2 1308807000..........91
3 1308808800..........3
4 1308810600..........84
5 1308812400..........23
What I want is the human readable time and the header to say Hours.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi kmattern
Try this search code
sourcetype="solaris3-web-access" /uhpo/ status="200" |timechart count(status) as Logins|appendcols[search sourcetype="solaris3-web-access" /uhpo/ status="200" | convert timeformat="%H:%M:%S" ctime(_time) as timestr|eval n=substr(timestr, 1, 😎 ]|rename n as Hours| table Hours Logins
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try fieldformat:
... | fieldformat Hours=strftime(_time, "%H:%M:%S")
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/Fieldformat
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the field name _time tells Splunk to make it human readable, so renaming it removes that built-in functionality. This might work for you:
sourcetype="solaris3-web-access" /uhpo/ status="200" |
convert timeformat="%H:%M:%S" ctime(_time) as timestr|
timechart first(timestr) as hours,count as Logins
Jon
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming you dont actually have a field called 'Hours' here, I think your convert clause is having no effect.
The Splunk UI will automatically convert _time, which is always a number of seconds since 1/1/1970, into a localized string. So that's why the _time values in the first example look like "6/23/11 12:30:00.000 AM", and it doesnt have anything to do with your convert clause.
In the second example, by renaming _time you break this behavior so that now the values appear in their native form, namely as the number of seconds since 1/1/1970. Again the convert clause is not doing anything here either.
I think what you want is more like:
sourcetype="solaris3-web-access" /XXYYZZ/ status="200" | timechart count(status) as Logins | convert timeformat="%H:%M:%S" ctime(_time) as Hours | table Hours, Logins`
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
