Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart time format change

gancw1
Explorer
‎01-13-2014 06:14 PM

I am trying to tabulate number of specific operation per day using this format

timechart span=1d count as DLCreateCount

How do I replace the _time value with a human readable time format ?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2014 08:43 AM

I have the same problem and I cannon found a solution (also using 6.1.0.), I tried information from other answers but with no result:

I cannot use other commands because I need results in many columns, one for each User (timechart span=1w count by User)

inserting "|convert ctime(_time) as time" after the timechart command adds a column without replacing the _time column

inserting "|convert ctime(_time) as time" before the timechart command has no effect on the output

inserting "| fieldformat time=strftime(time,"%+")" before or after the timechart command I have this result for the time "0NaN-NaN-NaN NaN:NaN:NaN"

Anyone has an idea?

Thanks Giuseppe

Reply

3no
Communicator
‎04-03-2017 04:44 AM 
eval _time=strftime(_time,"%c")"
0 Karma
Reply

gancw1
Explorer
‎01-22-2014 12:11 AM

Thanks for the suggestion. I managed to get it in the format I want using this 

timechart span=1d count as DLCreateCount | convert ctime(_time) as time | table time DLCreateCount
Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎01-14-2014 10:39 AM

You could do something like this - an example of using strftime to pull out the name of the Day and then counting over the past seven days. In this case "_time" is replaced by Day. Play with strftime and the time range to get what you want.

... earliest=-7d@d latest=now |  bucket span=1d _time | eval Day=strftime(_time, "%u. %A") |  stats count as DLCreateCount by Day
0 Karma
Reply

linu1988
Champion
‎01-13-2014 07:49 PM

Hello,
There are many ways.

timechart ... |convert ctime(_time)

will do it as well. But in Splunk 6 you will get it automatically.

0 Karma
Reply

linu1988
Champion
‎01-14-2014 09:08 AM

No it replaces the same column where you have the time column.

0 Karma
Reply

gancw1
Explorer
‎01-14-2014 01:03 AM

this will create additional time column :

_time DLCreateCount Time

I would like to replace the _time with time

0 Karma
Reply

jsie_splunk
Splunk Employee
Splunk Employee
‎01-13-2014 06:19 PM

See if Ayn's answer here works for you: http://answers.splunk.com/answers/100969/how-to-format-timechart-time-values-easily

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...