Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

_time related...

Raj_Splunk_Ing
Path Finder
‎08-25-2025 04:04 PM

Hi, it might be very simple but i am missing something
when i look at the _time value along with other fields in the splunk results i see the _time values like below

This is not unix epoch time right? because unix/epoch time values will be like all numbers 7589541266985 (as an example) - correct?

I read _time is by default epoch then why do i see this format in my results when i run the query ? |table _time, field1,field2

_time

2025-07-26 04:45:16.549

from _time i just want to get the date part without time like 2025-07-26 and use it in the where clause as filter to restrict the data for july - previous month data like  >=2025-07-01 and <=2025-07-32

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎08-25-2025 09:12 PM

@Raj_Splunk_Ing 

Splunk does store _time as Unix epoch time. But when you use commands like | table _time, Splunk automatically formats _time into a human-readable timestamp.

With where clause you can use something like below,

<BASE_SEARCH>
| eval date_only=strftime(_time, "%Y-%m-%d")
| where date_only >= "2025-07-01" AND date_only <= "2025-07-31"


Splunk's built-in time modifiers are even more efficient.
Eg:

index=your_index sourcetype=your_sourcetype earliest="07/01/2025:00:00:00" latest="07/31/2025:23:59:59"


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎08-25-2025 09:12 PM

@Raj_Splunk_Ing 

Splunk does store _time as Unix epoch time. But when you use commands like | table _time, Splunk automatically formats _time into a human-readable timestamp.

With where clause you can use something like below,

<BASE_SEARCH>
| eval date_only=strftime(_time, "%Y-%m-%d")
| where date_only >= "2025-07-01" AND date_only <= "2025-07-31"


Splunk's built-in time modifiers are even more efficient.
Eg:

index=your_index sourcetype=your_sourcetype earliest="07/01/2025:00:00:00" latest="07/31/2025:23:59:59"


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-25-2025 06:48 PM

I believe that you are looking in a Splunk views.  Across nearly all interfaces, Splunk always displays the field named _time as calendar time.  You can try this to see if that field is epic or string:

| eval question = if(isnum(_time), "is", "is not") . " numeric"

You can also display arbitrary numeric value as calendar entry.  For example

| makeresults format=csv data="anynumber
1234"
| eval _time = anynumber
_timeanynumber
1969-12-31 16:20:341234
0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...