- Splunk Answers
- :
- Using Splunk
- :
- Reporting
- :
- How to format _time field in results email?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally got the csv results sent out in emails to only include the relevant info by using the "fields - xxxx,_raw" statement, however, the _time field that's included by default is sent out only as the epoch timestamp.
I'm sure I can use "fields - xxxx,_time,_raw" to get rid of the epoch version, but what would be the syntax to get a FORMATTED timestamp back in the output along the lines of:
HH:MM:SS MM-DD-YYYY
for each event line? Looked at the "format" operator, and tried looking up "format _time" and "timestamp formatting output" to no avail in the docs.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or use strftime in the eval command:
| eval time=strftime(_time, "%H:%M:%S %m-%d-%y")
see:
http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions http://docs.python.org/library/datetime.html#strftime-strptime-behavior
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And five years later, I was struggling to find the command that formats a field without actually changing the actual value of the field. This five year old answer is one that kept turning up. If anyone still reads this, I would really recommend looking into fieldformat instead. This command has been around since 6.0, so it wasn't available five years ago.
I noticed with convert that you can have some unexpected results, because it changes the sorting order, e.g. in the output of stats, eventhough you might sort before using convert.
Check out fieldformat:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldformat
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have used the convert command to format timestamp:
| convert ctime(_time) as datetime timeformat="%d/%m/%Y %H:%M:%S"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
or use strftime in the eval command:
| eval time=strftime(_time, "%H:%M:%S %m-%d-%y")
see:
http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions http://docs.python.org/library/datetime.html#strftime-strptime-behavior
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pipe it to convert:
| convert ctime(_time) as timestamp
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
