Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: _time related...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, it might be very simple but i am missing something
when i look at the _time value along with other fields in the splunk results i see the _time values like below
This is not unix epoch time right? because unix/epoch time values will be like all numbers 7589541266985 (as an example) - correct?
I read _time is by default epoch then why do i see this format in my results when i run the query ? |table _time, field1,field2
_time
2025-07-26 04:45:16.549
from _time i just want to get the date part without time like 2025-07-26 and use it in the where clause as filter to restrict the data for july - previous month data like >=2025-07-01 and <=2025-07-32
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk does store _time as Unix epoch time. But when you use commands like | table _time, Splunk automatically formats _time into a human-readable timestamp.
With where clause you can use something like below,
<BASE_SEARCH>
| eval date_only=strftime(_time, "%Y-%m-%d")
| where date_only >= "2025-07-01" AND date_only <= "2025-07-31"
Splunk's built-in time modifiers are even more efficient.
Eg:
index=your_index sourcetype=your_sourcetype earliest="07/01/2025:00:00:00" latest="07/31/2025:23:59:59"
Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk does store _time as Unix epoch time. But when you use commands like | table _time, Splunk automatically formats _time into a human-readable timestamp.
With where clause you can use something like below,
<BASE_SEARCH>
| eval date_only=strftime(_time, "%Y-%m-%d")
| where date_only >= "2025-07-01" AND date_only <= "2025-07-31"
Splunk's built-in time modifiers are even more efficient.
Eg:
index=your_index sourcetype=your_sourcetype earliest="07/01/2025:00:00:00" latest="07/31/2025:23:59:59"
Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe that you are looking in a Splunk views. Across nearly all interfaces, Splunk always displays the field named _time as calendar time. You can try this to see if that field is epic or string:
| eval question = if(isnum(_time), "is", "is not") . " numeric"You can also display arbitrary numeric value as calendar entry. For example
| makeresults format=csv data="anynumber
1234"
| eval _time = anynumber| _time | anynumber |
| 1969-12-31 16:20:34 | 1234 |
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
