Is there a way to format the "_time" field? I currently use _time in many of my dashboards and searches; however, it is formatted differently depending on the sourcetype.
My attempt to standardize the output of _time below doesn't work:
sourcetype="mysource" | table _time("%m/%d/%y %I:%M:%S %p") field1 field2 field3
Does anyone know how to do this?
Thanks!
I solved my own question, this worked:
sourcetype="mysource" | eval time=strftime(_time, "%m/%d/%y %I:%M:%S:%p") | table time field1 field2 field3
Although I still think you should be able to format _time directly without the use of an eval 🙂
I believe the implicit answer to the question is "No".
If you want to display _time the way you want, you have to do it in another field.
I solved my own question, this worked:
sourcetype="mysource" | eval time=strftime(_time, "%m/%d/%y %I:%M:%S:%p") | table time field1 field2 field3
Although I still think you should be able to format _time directly without the use of an eval 🙂
It's been my experience that | table _time ...
will format _time
into a sane value anyway. At least directly in the search app. It may act different in a dashboard. But, if you want a specific time format your strftime
is a great approach.