Splunk Search

How to change format for _time field values to display in timechart report?

pbernardin
Explorer

Hi, I am trying to create a timechart report and I want to manipulate the output of the _time field so instead of reading 8/28/14 12:00:00.000 AM that, for example, I can see 8/28/14 or Thursday. Anyone know how to do this? I am not referencing the _time field so removing/modifying it seems tough. This is the last piece of the 7 day search:

index="pan_logs" | timechart span=1d dc(src_user) as "Source" BY firewall

Thanks,
Paul

Tags (3)
1 Solution

lguinn2
Legend

timechart implicitly references the _time field, always. BUT you can't do this

index="pan_logs" 
| timechart span=1d dc(src_user) as "Source" BY firewall
| eval _time = strftime(_time,"%A")

Sorry, I thought that would work. But you can't assign a new value to the built-in _time field. Solution? Make your own time field! Here is how:

index="pan_logs"  
| bucket _time span=1d 
| stats dc(src_user) as "Source" BY firewall
| eval newTime = strftime(_time,"%x") 
| xyseries newTime firewall Source

How this works: first it groups the _time variable by day, which you did with timechart before. Then it computes your Source statistic, but using the stats command. The eval creates the new timestamp. (Use whatever time format you like. Common Time Format Variables has more info about your options.) The last step reformats the results of the stats command so it will show up in a chart the way you want.

View solution in original post

Heff
Splunk Employee
Splunk Employee

try this:
eval n=strptime(_time," %Y-%m-%d")

lguinn2
Legend

Good suggestion.

0 Karma

lguinn2
Legend

timechart implicitly references the _time field, always. BUT you can't do this

index="pan_logs" 
| timechart span=1d dc(src_user) as "Source" BY firewall
| eval _time = strftime(_time,"%A")

Sorry, I thought that would work. But you can't assign a new value to the built-in _time field. Solution? Make your own time field! Here is how:

index="pan_logs"  
| bucket _time span=1d 
| stats dc(src_user) as "Source" BY firewall
| eval newTime = strftime(_time,"%x") 
| xyseries newTime firewall Source

How this works: first it groups the _time variable by day, which you did with timechart before. Then it computes your Source statistic, but using the stats command. The eval creates the new timestamp. (Use whatever time format you like. Common Time Format Variables has more info about your options.) The last step reformats the results of the stats command so it will show up in a chart the way you want.

lguinn2
Legend

Sorry, I forgot about that. I updated my answer above, so that hopefully it will work now. (I even tested it.)

0 Karma

pbernardin
Explorer

actually i spoke too soon. When I tried this, my time formats were not changed, even after trying multiple variables / formats like %A , %a , etc... Maybe I need the eval in a different place? Any other ideas?

0 Karma

pbernardin
Explorer

awesome. Thank you so much

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...