Solved: rename command is changing time format

shakSplunk · ‎08-16-2021

Hi all,

I have a field that has a time value such as (_time field):

2021-08-12 15:18:42

However, when I got to use the rename command on the _time field, it changes the format to:

1628723833

Any assistance in how to NOT make the date format change whilst also renaming the field would be greatly appreciated.

tscroggins · ‎08-16-2021

_time is an epoch value internally, but splunkweb provides default formatting for _time. That formatting is lost if you rename the field.

You can restore formatting in tables with fieldformat:

| rename _time as t
| fieldformat t=strftime(t, "%F %T")

If you want to treat t as a string, you can convert the value:

| eval t=strftime(t, "%F %T")

tscroggins · ‎08-16-2021

_time is an epoch value internally, but splunkweb provides default formatting for _time. That formatting is lost if you rename the field.

You can restore formatting in tables with fieldformat:

| rename _time as t
| fieldformat t=strftime(t, "%F %T")

If you want to treat t as a string, you can convert the value:

| eval t=strftime(t, "%F %T")

shakSplunk · ‎08-16-2021

Thanks for the answer! It works when the rename label is one word however when there are whitespaces, it doesn't seem to work. E.g.

| rename _time as "Latest Log Timestamp"
| fieldformat 'Latest Log Timestamp'=strftime(t, "%F %T")

bowesmana · ‎08-16-2021

You left 't' in the strftime. Your statements should be

| fieldformat "Latest Log Timestamp"=strftime('Latest Log Timestamp', "%F %T")

i.e. double quotes on the left hand side and single quotes on the right hand side

shakSplunk · ‎08-16-2021

Good spot, cheers

rename command is changing time format