Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to display _time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to display _time
hello
I have tow problems
1 I export my search result to csv file
but when I open it the time just display like this
1.52E+09 how to do if I want time to display right
index=maillog I timechart span=1d,count(eval(IP=×××)) as IP1 I outputcsv IP1
2 I use this command to count the IP
but in my column chart the interval is not one day
_time display like this 3/25 3/27 3/29
how to set it like 3/25 3/26 3/27 3/28 3/29
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you try this:
index=_internal
| timechart count
| eval _time=strftime(_time,"%m/%d")
| outputcsv hola
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For 1) you could use a workaround in the search and transform the _time field like this
index=maillog
| timechart span=1d,count(eval(IP=×××)) as IP1
| eval _time=strftime(_time, "%Y-%m-%d")
| outputcsv IP1
Regarding 2), I don't understand your need here.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello there,
_time is in epoch
try something like this:
index = <your_index> sourcetype=<your_sourcetype>
| bin _time span=1d
| eval _time = strftime(_time, "%m/%d")
| stats count(eval(IP="IP1")) as IP_CSV by _time
| outputcsv IP1
hope it helps
as a side note, if you are only looking at that IP, better practice would be to filter to it first:
... your search ... IP=IP1 | ... more sstuff ... | stats count as IP1
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
