Splunk Search

_time format

benhooper
Communicator

Our data input contains two timestamp fields — creation_time and modification_time — both formatted in line with ISO 8601 (yyyy/mm/dd hh:mm:ss.ms).

Splunk parses modification_time as _time but, in doing so, it applies the system-default timestamp format, in our case the British one (dd/mm/yyyy hh:mm:ss.ms).

Is there any way that we can either:

  1. Change the timestamp format of _time (not "eval time = _time" etc) so that they match?
    or
  2. Hide or replace _time in search results, dashboard table panels, etc so that we can use the original, modification_time field instead?

2020-08-11 12-03-26 - Search__Splunk_8.0.5_-_Google_Chrome.png

Labels (1)
0 Karma
1 Solution

benhooper
Communicator

I found that it's only the Events Table that has a permanent _time column so I simply used a Statistics Table instead.

View solution in original post

0 Karma

renjith_nair
Legend

What happens when you just omit the _time from search result/dashboard panel by just adding

|fields - _time
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

benhooper
Communicator

The column remains but the fields / cells / values are blank:

 

2020-08-11 13-58-42 - Search__Splunk_8.0.5_-_Google_Chrome.png

0 Karma

stonefr33
Explorer

you can use the table command to choose the fields to display
| table creation_time, modification_time etc.

0 Karma

benhooper
Communicator

That works for a search but not in the dashboard table panels, even when omitting _time from <fields>.

0 Karma

stonefr33
Explorer

Is your visualisation 'Events' or 'Stats Table'? Should work for Stats table view but if that view doesn't work for you then you could cheat a little.

| eval _time = modification_time 

OR

You can play with the time formatting with eval strptime (convert to unixtime) and feed that to strftime (format it the way you want) , but it may be more hassle then its worth.

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Commontimeformatvariables

0 Karma

benhooper
Communicator

Ah, it's an events table. Sorry, I forgot that there was another.

Unfortunately, "eval _time = modification_time " doesn't make a difference - the format stays the same. I supposed that's to be expected, though, as _time is originally derived from modification_time anyway. It's like _time has a hardcoded regional time format or something.

0 Karma

stonefr33
Explorer

Does this work for you?

| eval _time=strftime(_time,"%F %H:%M:%S.%3Q")

benhooper
Communicator

I'm afraid not. The format stays the same.

0 Karma

stonefr33
Explorer

Sorry but that's all the tricks I know, not sure if there is something on the backend that can override it. Any of these recommendations I have sent have worked in my environment, but I'm not an admin so unsure of the backend wizardry.

Good luck

0 Karma

benhooper
Communicator

Thanks anyway!

0 Karma

benhooper
Communicator

I found that it's only the Events Table that has a permanent _time column so I simply used a Statistics Table instead.

0 Karma
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...