Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

_time format

benhooper
Communicator
‎08-11-2020 04:02 AM

Our data input contains two timestamp fields — creation_time and modification_time — both formatted in line with ISO 8601 (yyyy/mm/dd hh:mm:ss.ms).

Splunk parses modification_time as _time but, in doing so, it applies the system-default timestamp format, in our case the British one (dd/mm/yyyy hh:mm:ss.ms).

Is there any way that we can either:

  1. Change the timestamp format of _time (not "eval time = _time" etc) so that they match?
    or
  2. Hide or replace _time in search results, dashboard table panels, etc so that we can use the original, modification_time field instead?

2020-08-11 12-03-26 - Search__Splunk_8.0.5_-_Google_Chrome.png

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

benhooper
Communicator
‎09-09-2020 01:28 AM

I found that it's only the Events Table that has a permanent _time column so I simply used a Statistics Table instead.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎08-11-2020 05:55 AM

What happens when you just omit the _time from search result/dashboard panel by just adding

|fields - _time
Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

benhooper
Communicator
‎08-11-2020 05:59 AM

The column remains but the fields / cells / values are blank:

 

2020-08-11 13-58-42 - Search__Splunk_8.0.5_-_Google_Chrome.png

0 Karma
Reply
Solved! Jump to solution

stonefr33
Explorer
‎08-11-2020 06:09 AM

you can use the table command to choose the fields to display
| table creation_time, modification_time etc.

0 Karma
Reply
Solved! Jump to solution

benhooper
Communicator
‎08-11-2020 06:15 AM

That works for a search but not in the dashboard table panels, even when omitting _time from <fields>.

0 Karma
Reply
Solved! Jump to solution

stonefr33
Explorer
‎08-11-2020 06:36 AM

Is your visualisation 'Events' or 'Stats Table'? Should work for Stats table view but if that view doesn't work for you then you could cheat a little.

| eval _time = modification_time 

OR

You can play with the time formatting with eval strptime (convert to unixtime) and feed that to strftime (format it the way you want) , but it may be more hassle then its worth.

https://docs.splunk.com/Documentation/Splunk/8.0.5/SearchReference/Commontimeformatvariables

0 Karma
Reply
Solved! Jump to solution

benhooper
Communicator
‎08-11-2020 06:45 AM

Ah, it's an events table. Sorry, I forgot that there was another.

Unfortunately, "eval _time = modification_time " doesn't make a difference - the format stays the same. I supposed that's to be expected, though, as _time is originally derived from modification_time anyway. It's like _time has a hardcoded regional time format or something.

0 Karma
Reply
Solved! Jump to solution

stonefr33
Explorer
‎08-11-2020 07:03 AM

Does this work for you?

| eval _time=strftime(_time,"%F %H:%M:%S.%3Q")

Reply
Solved! Jump to solution

benhooper
Communicator
‎08-11-2020 07:10 AM

I'm afraid not. The format stays the same.

0 Karma
Reply
Solved! Jump to solution

stonefr33
Explorer
‎08-11-2020 07:29 AM

Sorry but that's all the tricks I know, not sure if there is something on the backend that can override it. Any of these recommendations I have sent have worked in my environment, but I'm not an admin so unsure of the backend wizardry.

Good luck

0 Karma
Reply
Solved! Jump to solution

benhooper
Communicator
‎08-11-2020 07:30 AM

Thanks anyway!

0 Karma
Reply
Solved! Jump to solution
Solution

benhooper
Communicator
‎09-09-2020 01:28 AM

I found that it's only the Events Table that has a permanent _time column so I simply used a Statistics Table instead.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...