I am trying to tabulate number of specific operation per day using this format
timechart span=1d count as DLCreateCount
How do I replace the _time value with a human readable time format ?
I have the same problem and I cannon found a solution (also using 6.1.0.), I tried information from other answers but with no result:
I cannot use other commands because I need results in many columns, one for each User (timechart span=1w count by User)
inserting "|convert ctime(_time) as time" after the timechart command adds a column without replacing the _time column
inserting "|convert ctime(_time) as time" before the timechart command has no effect on the output
inserting "| fieldformat time=strftime(time,"%+")" before or after the timechart command I have this result for the time "0NaN-NaN-NaN NaN:NaN:NaN"
Anyone has an idea?
You could do something like this - an example of using strftime to pull out the name of the Day and then counting over the past seven days. In this case "_time" is replaced by Day. Play with strftime and the time range to get what you want.
... earliest=-7d@d latest=now | bucket span=1d _time | eval Day=strftime(_time, "%u. %A") | stats count as DLCreateCount by Day