Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

timechart time format change

gancw1
Explorer
‎01-13-2014 06:14 PM

I am trying to tabulate number of specific operation per day using this format

timechart span=1d count as DLCreateCount

How do I replace the _time value with a human readable time format ?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2014 08:43 AM

I have the same problem and I cannon found a solution (also using 6.1.0.), I tried information from other answers but with no result:

I cannot use other commands because I need results in many columns, one for each User (timechart span=1w count by User)

inserting "|convert ctime(_time) as time" after the timechart command adds a column without replacing the _time column

inserting "|convert ctime(_time) as time" before the timechart command has no effect on the output

inserting "| fieldformat time=strftime(time,"%+")" before or after the timechart command I have this result for the time "0NaN-NaN-NaN NaN:NaN:NaN"

Anyone has an idea?

Thanks Giuseppe

Reply

3no
Communicator
‎04-03-2017 04:44 AM 
eval _time=strftime(_time,"%c")"
0 Karma
Reply

gancw1
Explorer
‎01-22-2014 12:11 AM

Thanks for the suggestion. I managed to get it in the format I want using this 

timechart span=1d count as DLCreateCount | convert ctime(_time) as time | table time DLCreateCount
Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎01-14-2014 10:39 AM

You could do something like this - an example of using strftime to pull out the name of the Day and then counting over the past seven days. In this case "_time" is replaced by Day. Play with strftime and the time range to get what you want.

... earliest=-7d@d latest=now |  bucket span=1d _time | eval Day=strftime(_time, "%u. %A") |  stats count as DLCreateCount by Day
0 Karma
Reply

linu1988
Champion
‎01-13-2014 07:49 PM

Hello,
There are many ways.

timechart ... |convert ctime(_time)

will do it as well. But in Splunk 6 you will get it automatically.

0 Karma
Reply

linu1988
Champion
‎01-14-2014 09:08 AM

No it replaces the same column where you have the time column.

0 Karma
Reply

gancw1
Explorer
‎01-14-2014 01:03 AM

this will create additional time column :

_time DLCreateCount Time

I would like to replace the _time with time

0 Karma
Reply

jsie_splunk
Splunk Employee
Splunk Employee
‎01-13-2014 06:19 PM

See if Ayn's answer here works for you: http://answers.splunk.com/answers/100969/how-to-format-timechart-time-values-easily

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...