how to display _time

fzfeng · ‎04-23-2018

hello

I have tow problems

1 I export my search result to csv file

but when I open it the time just display like this

1.52E+09 how to do if I want time to display right

index=maillog I timechart span=1d，count（eval（IP=×××）） as IP1 I outputcsv IP1

2 I use this command to count the IP

but in my column chart the interval is not one day
_time display like this 3/25 3/27 3/29

how to set it like 3/25 3/26 3/27 3/28 3/29

thanks

TISKAR · ‎04-24-2018

can you try this:

index=_internal  
| timechart count
| eval _time=strftime(_time,"%m/%d")
| outputcsv hola

HeinzWaescher · ‎04-24-2018

For 1) you could use a workaround in the search and transform the _time field like this

 index=maillog 
 | timechart span=1d，count（eval（IP=×××）） as IP1
 | eval _time=strftime(_time, "%Y-%m-%d")
 | outputcsv IP1

Regarding 2), I don't understand your need here.

adonio · ‎04-24-2018

hello there,
_time is in epoch
try something like this:

index = <your_index> sourcetype=<your_sourcetype>
| bin _time span=1d 
| eval _time = strftime(_time, "%m/%d")
| stats count(eval(IP="IP1")) as IP_CSV by _time
| outputcsv IP1

hope it helps

as a side note, if you are only looking at that IP, better practice would be to filter to it first:
... your search ... IP=IP1 | ... more sstuff ... | stats count as IP1

how to display _time

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!