Splunk Search

Convert Splunk default time to human readable format

steveirogers
Communicator

I have the following saved search which emails result daily to show indexing volume:
index=_internal host=prodlog todaysBytesIndexed LicenseManager-Audit NOT source=*web_service.log startdaysago=30 enddaysago=0 | eval Daily_Indexing_Volume_in_MBs = todaysBytesIndexed/1024/1024 | timechart avg(Daily_Indexing_Volume_in_MBs) by host

However, in the emailed report, the date format is as follows:


_time prodlog
1320642000

1320728400

1320814800 9392.988527
1320901200 23420.692374
1320987600 9222.176128
1321074000 8878.713042

Is it possible to convert the "_time" field to a user-friendly format? I searched throught some of the other questions but none really addressed this specific question.

Thanks.

Tags (2)
1 Solution

steveirogers
Communicator

Great. Thanks gnovak, jaceknykis, yannK. Problem solved. It took portions of all of your responses. First I used the to get the time a usable format, but the dates in my alert were still not readable.
Then it dawned on me after reading gnovak's response that I was using the "timechart" function in my alert. I converted the "timechart" to "table display_time, indexing_volume" and "magically" the dates in my alert are in the correct format.

Thanks very much for all you help and pointing me in the right direction.

View solution in original post

steveirogers
Communicator

Great. Thanks gnovak, jaceknykis, yannK. Problem solved. It took portions of all of your responses. First I used the to get the time a usable format, but the dates in my alert were still not readable.
Then it dawned on me after reading gnovak's response that I was using the "timechart" function in my alert. I converted the "timechart" to "table display_time, indexing_volume" and "magically" the dates in my alert are in the correct format.

Thanks very much for all you help and pointing me in the right direction.

gnovak
Builder

cool! glad it worked out!

0 Karma

gnovak
Builder

I have a similar search and I added | eval SpaceGB = Space/1048576 to my search and it seemed to work to convert my numbers to GB. I had the same issue.

My entire search I have looks something like this:

host="ynfs1" sourcetype=userdiskusage earliest=-1d | rex field=_raw "(?<Space>\d+)\s*\/home\/(?<UserName>\S+)" | search NOT UserName="shares" | eval SpaceGB = Space/1048576 | sort SpaceGB,UserName desc | head 20 | table UserName,SpaceGB

This search sorts the data and puts it into a table. Maybe try incorporating the | eval SpaceGB = Space/1048576 into your search and see if this makes a difference?

steveirogers
Communicator

Jaceknykis and yannK, thank you both for responding to my query. (I tried to respond sooner but I was having problems logging to SplunkAnswers.

I tried both methods but the results did not change.
The problem might be in what I am trying to do. When I run the Saved Search manually in the browser, the results display correctly with formatted dates like this:


11/13/11 12:00:00.000 AM 3007.768024
11/14/11 12:00:00.000 AM 2731.953137
11/15/11 12:00:00.000 AM 9833.730893

However, I have this Saved Search implemented to run on a schedule and to email the results. The emailed results have the strangely formatted date like this:

 
1321160400 3007.768024
1321246800 2731.953137
1321333200 9833.730893

Any thoughts? Do I need to run some "conversion" on the output results instead?

Thanks again for your response.

0 Karma

jaceknykis
Engager

Hi,

You could use strftime function for eval command to convert it. For example:

| eval human_readable_time=strftime(_time, "%Y-%d-%m %H:%M")

yannK
Splunk Employee
Splunk Employee

You can use the convert functions.
see http://docs.splunk.com/Documentation/Splunk/4.2.4/SearchReference/Convert

example to convert and store in a new field
| convert ctime(_time) as time | table _time time

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...