Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I convert the time in my table to a human readable date format?

otman01
Communicator
‎08-18-2015 04:28 AM

Hi everyone,

I want to make a table that gives me the quantity of purchases for each product for the last 3 days.

I start by making this search:

host="L81341" sourcetype="csv"  earliest=-2d@d | chart   count  by     Product , _time span=1d   | convert timeformat="%Y/%m/%d"  ctime(_time)

but the problem is the date is not being converted to a human readable format. I have something like this:

Product1 / 1439676000   /1439762400 /1439848800
Product2 / 50 / 50 / 35
Product3 / 0 / 1 / 85
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎08-18-2015 06:24 AM

How about:

host="L81341" sourcetype="csv" earliest=-2d@d | bin span=1d _time | convert timeformat="%F" ctime(_time) | chart count by Product,_time

In this way, we bin by day and make the conversion of the time value upfront, (since the _time field would no longer exist after the chart in your search, instead you have fields for each numeric time), Then we perform the chart with the converted _time field.

Edit: Updated the timeformat as it looks like in your example that you're looking for an ISO 8601 formatted date.

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎08-18-2015 06:24 AM

How about:

host="L81341" sourcetype="csv" earliest=-2d@d | bin span=1d _time | convert timeformat="%F" ctime(_time) | chart count by Product,_time

In this way, we bin by day and make the conversion of the time value upfront, (since the _time field would no longer exist after the chart in your search, instead you have fields for each numeric time), Then we perform the chart with the converted _time field.

Edit: Updated the timeformat as it looks like in your example that you're looking for an ISO 8601 formatted date.

Reply
Solved! Jump to solution

otman01
Communicator
‎08-18-2015 06:27 AM

Thank you acharlieh,
you are amazing

Reply
Solved! Jump to solution

otman01
Communicator
‎08-18-2015 06:13 AM

I want something like that:
ProductID / 2015-08-15/2015-08-16/2015-08-17
Product1 / 50 / 50 / 35
Product2 / 0 / 1 / 85

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...