Splunk Search

timechart time format change

Explorer

I am trying to tabulate number of specific operation per day using this format

timechart span=1d count as DLCreateCount

How do I replace the _time value with a human readable time format ?

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

I have the same problem and I cannon found a solution (also using 6.1.0.), I tried information from other answers but with no result:

I cannot use other commands because I need results in many columns, one for each User (timechart span=1w count by User)

inserting "|convert ctime(_time) as time" after the timechart command adds a column without replacing the _time column

inserting "|convert ctime(_time) as time" before the timechart command has no effect on the output

inserting "| fieldformat time=strftime(time,"%+")" before or after the timechart command I have this result for the time "0NaN-NaN-NaN NaN:NaN:NaN"

Anyone has an idea?

Thanks Giuseppe

Communicator
eval _time=strftime(_time,"%c")"
0 Karma

Explorer

Thanks for the suggestion. I managed to get it in the format I want using this

timechart span=1d count as DLCreateCount | convert ctime(_time) as time | table time DLCreateCount

Splunk Employee
Splunk Employee

You could do something like this - an example of using strftime to pull out the name of the Day and then counting over the past seven days. In this case "_time" is replaced by Day. Play with strftime and the time range to get what you want.

... earliest=-7d@d latest=now |  bucket span=1d _time | eval Day=strftime(_time, "%u. %A") |  stats count as DLCreateCount by Day 
0 Karma

Champion

Hello,
There are many ways.

timechart ... |convert ctime(_time) 

will do it as well. But in Splunk 6 you will get it automatically.

0 Karma

Champion

No it replaces the same column where you have the time column.

0 Karma

Explorer

this will create additional time column :

_time DLCreateCount Time

I would like to replace the _time with time

0 Karma

Splunk Employee
Splunk Employee
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!