Not a splunk newbie, but I cant seem to figure out how to format my timechart values to be readable. The default format:
2013-08-28T14:30:00.000-04:00
Is not ideal for reading, and is normally too much information.
Use fieldformat
to create the format you want.
... | timechart ... | fieldformat _time=strftime(_time,"%+")
For some inspiration on format strings, visit http://strfti.me/
I personally check the strftime man pages on any UNIX system I happen to have nearby. They're available on the web too, of course: http://linux.die.net/man/3/strftime for instance.
This seems to work great, but where can I find the options for strftime? I dont see a "%+" formatting option from your link..
(Not having tried this yet...) does it keep the format for any tooltips as well?