I am trying to tabulate number of specific operation per day using this format
timechart span=1d count as DLCreateCount
How do I replace the _time value with a human readable time format ?
I have the same problem and I cannon found a solution (also using 6.1.0.), I tried information from other answers but with no result:
I cannot use other commands because I need results in many columns, one for each User (timechart span=1w count by User)
inserting "|convert ctime(_time) as time" after the timechart command adds a column without replacing the _time column
inserting "|convert ctime(_time) as time" before the timechart command has no effect on the output
inserting "| fieldformat time=strftime(time,"%+")" before or after the timechart command I have this result for the time "0NaN-NaN-NaN NaN:NaN:NaN"
Anyone has an idea?
Thanks Giuseppe
eval _time=strftime(_time,"%c")"
Thanks for the suggestion. I managed to get it in the format I want using this
timechart span=1d count as DLCreateCount | convert ctime(_time) as time | table time DLCreateCount
You could do something like this - an example of using strftime to pull out the name of the Day and then counting over the past seven days. In this case "_time" is replaced by Day. Play with strftime and the time range to get what you want.
... earliest=-7d@d latest=now | bucket span=1d _time | eval Day=strftime(_time, "%u. %A") | stats count as DLCreateCount by Day
Hello,
There are many ways.
timechart ... |convert ctime(_time)
will do it as well. But in Splunk 6 you will get it automatically.
No it replaces the same column where you have the time column.
this will create additional time column :
_time DLCreateCount Time
I would like to replace the _time with time
See if Ayn's answer here works for you: http://answers.splunk.com/answers/100969/how-to-format-timechart-time-values-easily