Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

timechart time format change

gancw1
Explorer
‎01-13-2014 06:14 PM

I am trying to tabulate number of specific operation per day using this format

timechart span=1d count as DLCreateCount

How do I replace the _time value with a human readable time format ?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2014 08:43 AM

I have the same problem and I cannon found a solution (also using 6.1.0.), I tried information from other answers but with no result:

I cannot use other commands because I need results in many columns, one for each User (timechart span=1w count by User)

inserting "|convert ctime(_time) as time" after the timechart command adds a column without replacing the _time column

inserting "|convert ctime(_time) as time" before the timechart command has no effect on the output

inserting "| fieldformat time=strftime(time,"%+")" before or after the timechart command I have this result for the time "0NaN-NaN-NaN NaN:NaN:NaN"

Anyone has an idea?

Thanks Giuseppe

Reply

3no
Communicator
‎04-03-2017 04:44 AM 
eval _time=strftime(_time,"%c")"
0 Karma
Reply

gancw1
Explorer
‎01-22-2014 12:11 AM

Thanks for the suggestion. I managed to get it in the format I want using this 

timechart span=1d count as DLCreateCount | convert ctime(_time) as time | table time DLCreateCount
Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎01-14-2014 10:39 AM

You could do something like this - an example of using strftime to pull out the name of the Day and then counting over the past seven days. In this case "_time" is replaced by Day. Play with strftime and the time range to get what you want.

... earliest=-7d@d latest=now |  bucket span=1d _time | eval Day=strftime(_time, "%u. %A") |  stats count as DLCreateCount by Day
0 Karma
Reply

linu1988
Champion
‎01-13-2014 07:49 PM

Hello,
There are many ways.

timechart ... |convert ctime(_time)

will do it as well. But in Splunk 6 you will get it automatically.

0 Karma
Reply

linu1988
Champion
‎01-14-2014 09:08 AM

No it replaces the same column where you have the time column.

0 Karma
Reply

gancw1
Explorer
‎01-14-2014 01:03 AM

this will create additional time column :

_time DLCreateCount Time

I would like to replace the _time with time

0 Karma
Reply

jsie_splunk
Splunk Employee
Splunk Employee
‎01-13-2014 06:19 PM

See if Ayn's answer here works for you: http://answers.splunk.com/answers/100969/how-to-format-timechart-time-values-easily

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...