Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

_time related...

Raj_Splunk_Ing
Path Finder
‎08-25-2025 04:04 PM

Hi, it might be very simple but i am missing something
when i look at the _time value along with other fields in the splunk results i see the _time values like below

This is not unix epoch time right? because unix/epoch time values will be like all numbers 7589541266985 (as an example) - correct?

I read _time is by default epoch then why do i see this format in my results when i run the query ? |table _time, field1,field2

_time

2025-07-26 04:45:16.549

from _time i just want to get the date part without time like 2025-07-26 and use it in the where clause as filter to restrict the data for july - previous month data like  >=2025-07-01 and <=2025-07-32

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎08-25-2025 09:12 PM

@Raj_Splunk_Ing 

Splunk does store _time as Unix epoch time. But when you use commands like | table _time, Splunk automatically formats _time into a human-readable timestamp.

With where clause you can use something like below,

<BASE_SEARCH>
| eval date_only=strftime(_time, "%Y-%m-%d")
| where date_only >= "2025-07-01" AND date_only <= "2025-07-31"


Splunk's built-in time modifiers are even more efficient.
Eg:

index=your_index sourcetype=your_sourcetype earliest="07/01/2025:00:00:00" latest="07/31/2025:23:59:59"


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎08-25-2025 09:12 PM

@Raj_Splunk_Ing 

Splunk does store _time as Unix epoch time. But when you use commands like | table _time, Splunk automatically formats _time into a human-readable timestamp.

With where clause you can use something like below,

<BASE_SEARCH>
| eval date_only=strftime(_time, "%Y-%m-%d")
| where date_only >= "2025-07-01" AND date_only <= "2025-07-31"


Splunk's built-in time modifiers are even more efficient.
Eg:

index=your_index sourcetype=your_sourcetype earliest="07/01/2025:00:00:00" latest="07/31/2025:23:59:59"


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-25-2025 06:48 PM

I believe that you are looking in a Splunk views.  Across nearly all interfaces, Splunk always displays the field named _time as calendar time.  You can try this to see if that field is epic or string:

| eval question = if(isnum(_time), "is", "is not") . " numeric"

You can also display arbitrary numeric value as calendar entry.  For example

| makeresults format=csv data="anynumber
1234"
| eval _time = anynumber
_timeanynumber
1969-12-31 16:20:341234
0 Karma
Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...