Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

_time format

benhooper
Communicator
‎08-11-2020 04:02 AM

Our data input contains two timestamp fields — creation_time and modification_time — both formatted in line with ISO 8601 (yyyy/mm/dd hh:mm:ss.ms).

Splunk parses modification_time as _time but, in doing so, it applies the system-default timestamp format, in our case the British one (dd/mm/yyyy hh:mm:ss.ms).

Is there any way that we can either:

  1. Change the timestamp format of _time (not "eval time = _time" etc) so that they match?
    or
  2. Hide or replace _time in search results, dashboard table panels, etc so that we can use the original, modification_time field instead?

2020-08-11 12-03-26 - Search__Splunk_8.0.5_-_Google_Chrome.png

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

benhooper
Communicator
‎09-09-2020 01:28 AM

I found that it's only the Events Table that has a permanent _time column so I simply used a Statistics Table instead.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-11-2020 05:55 AM

What happens when you just omit the _time from search result/dashboard panel by just adding

|fields - _time
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Solved! Jump to solution

benhooper
Communicator
‎08-11-2020 05:59 AM

The column remains but the fields / cells / values are blank:

 

2020-08-11 13-58-42 - Search__Splunk_8.0.5_-_Google_Chrome.png

0 Karma
Reply
Solved! Jump to solution

stonefr33
Explorer
‎08-11-2020 06:09 AM

you can use the table command to choose the fields to display
| table creation_time, modification_time etc.

0 Karma
Reply
Solved! Jump to solution

benhooper
Communicator
‎08-11-2020 06:15 AM

That works for a search but not in the dashboard table panels, even when omitting _time from <fields>.

0 Karma
Reply
Solved! Jump to solution

stonefr33
Explorer
‎08-11-2020 06:36 AM

Is your visualisation 'Events' or 'Stats Table'? Should work for Stats table view but if that view doesn't work for you then you could cheat a little.

| eval _time = modification_time 

OR

You can play with the time formatting with eval strptime (convert to unixtime) and feed that to strftime (format it the way you want) , but it may be more hassle then its worth.

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Commontimeformatvariables

0 Karma
Reply
Solved! Jump to solution

benhooper
Communicator
‎08-11-2020 06:45 AM

Ah, it's an events table. Sorry, I forgot that there was another.

Unfortunately, "eval _time = modification_time " doesn't make a difference - the format stays the same. I supposed that's to be expected, though, as _time is originally derived from modification_time anyway. It's like _time has a hardcoded regional time format or something.

0 Karma
Reply
Solved! Jump to solution

stonefr33
Explorer
‎08-11-2020 07:03 AM

Does this work for you?

| eval _time=strftime(_time,"%F %H:%M:%S.%3Q")

Reply
Solved! Jump to solution

benhooper
Communicator
‎08-11-2020 07:10 AM

I'm afraid not. The format stays the same.

0 Karma
Reply
Solved! Jump to solution

stonefr33
Explorer
‎08-11-2020 07:29 AM

Sorry but that's all the tricks I know, not sure if there is something on the backend that can override it. Any of these recommendations I have sent have worked in my environment, but I'm not an admin so unsure of the backend wizardry.

Good luck

0 Karma
Reply
Solved! Jump to solution

benhooper
Communicator
‎08-11-2020 07:30 AM

Thanks anyway!

0 Karma
Reply
Solved! Jump to solution
Solution

benhooper
Communicator
‎09-09-2020 01:28 AM

I found that it's only the Events Table that has a permanent _time column so I simply used a Statistics Table instead.

0 Karma
Reply
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...