Solved: Renaming _time field causes an unwanted result

nik_splunk · ‎04-13-2010

Good Morning all. I'm experiencing a strange behavior when I try to rename _time's field.

My goal is to run a search by tag -> piping it to a timechart count -> rename _time as foo.

When I run

tag="admin" startmonthsago="10" | timechart count | rename _time as foo

the result is a table where foo's column isn't into a familiar time format. How can I manage it? How can I keep the original time format (i.e. 11/1/09 12:00:00.000 AM) instead of getting a newer one (1257030000) after the renaming?

Thanks in advance for any support.

Nik

p.s. time format = 11/1/09 12:00:00.000 AM after renaming _time as smthelse --> time format = 1257030000

gkanapathy · ‎04-13-2010

the _time field is automatically converted to a human-readable display because Splunk knows what it represents. Other wills are not automatically converted. However, you can just add:

... | convert ctime(foo)

to the end of your search query to make it happen. Consult the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Convert for more options and formatting.

View solution in original post

Lowell · ‎04-13-2010

Sometimes renaming _time can have unwanted side effects. So it's worth noting that you can always make a copy of the _time field and then manipulate the copy (this many not work for your exact example, but sometimes this can be a better approach.)

So if you wanted to make a field called my_time and wanted it formatted as just YYYY-MM-DD, then you could do something like this:

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)

Also keep in mind that there are other ways to control chart formatting, especially in Splunk 4.1. But that seems like that may be a different question than what you are asking here.

(You didn't mention which version of Splunk you are running. The timeformat piece may be new in Splunk 4, I don't remember)

View solution in original post

monalisadas · ‎01-23-2015

If you rename the time column using rename or convert, then you will have the problem. If you update the label of the axis using the edit panel menu, it works fine

Lowell · ‎04-13-2010

Sometimes renaming _time can have unwanted side effects. So it's worth noting that you can always make a copy of the _time field and then manipulate the copy (this many not work for your exact example, but sometimes this can be a better approach.)

So if you wanted to make a field called my_time and wanted it formatted as just YYYY-MM-DD, then you could do something like this:

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)

Also keep in mind that there are other ways to control chart formatting, especially in Splunk 4.1. But that seems like that may be a different question than what you are asking here.

(You didn't mention which version of Splunk you are running. The timeformat piece may be new in Splunk 4, I don't remember)

si_rbrisita · ‎12-23-2015

A combination of rename and convert worked for me:

| rename _time as Day
| convert timeformat="%Y/%m/%d" ctime(Day)

Thanks!

nik_splunk · ‎04-13-2010

Dear Lowell,
thanks for your support. I'm using Splunk 4.0.9.

vsingla1 · ‎11-18-2014

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)

This solution worked perfect for me. Thanks so much man!!

gkanapathy · ‎04-13-2010

the _time field is automatically converted to a human-readable display because Splunk knows what it represents. Other wills are not automatically converted. However, you can just add:

... | convert ctime(foo)

to the end of your search query to make it happen. Consult the http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/Convert for more options and formatting.

nik_splunk · ‎04-13-2010

thanks gkanapathy.

Renaming _time field causes an unwanted result

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!