Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why is time formatting not working with my search?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jaho_splunk
Engager
02-19-2016
11:00 AM
Why is time formatting not working with the following search:
index=_internal sourcetype=splunkd "Ignoring" AND "binary" | eval time=strftime(_time, "%m/%d/%y %H:%M:%S") | stats earliest(_time) as start, latest(_time) as stop by message, host
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-19-2016
11:36 AM
The field name created for formatted _time is not used in stats, hence the problem. Try like this
index=_internal sourcetype=splunkd "Ignoring" AND "binary" | eval time=strftime(_time, "%m/%d/%y %H:%M:%S") | stats earliest(time) as start, latest(time) as stop by message, host
OR more efficient method (formatting should be done after aggregation, if possible/feasible)
index=_internal sourcetype=splunkd "Ignoring" AND "binary" | stats earliest(_time) as start, latest(_time) as stop by message, host | convert ctime(start) ctime(stop) timeformat="%m/%d/%y %H:%M:%S"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-19-2016
11:36 AM
The field name created for formatted _time is not used in stats, hence the problem. Try like this
index=_internal sourcetype=splunkd "Ignoring" AND "binary" | eval time=strftime(_time, "%m/%d/%y %H:%M:%S") | stats earliest(time) as start, latest(time) as stop by message, host
OR more efficient method (formatting should be done after aggregation, if possible/feasible)
index=_internal sourcetype=splunkd "Ignoring" AND "binary" | stats earliest(_time) as start, latest(_time) as stop by message, host | convert ctime(start) ctime(stop) timeformat="%m/%d/%y %H:%M:%S"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jaho_splunk
Engager
02-19-2016
12:35 PM
Thank you somesoni2 for the solution.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ppablo
Retired
02-22-2016
05:26 PM
Hi @jaho_splunk
If somesoni2's answer solved your question, please don't forget to resolve the post by clicking "Accept" directly below his answer and upvote him for being helpful. Thanks!
Get Updates on the Splunk Community!
Extending Observability Content to Splunk Cloud
Watch Now!
In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...
More Control Over Your Monitoring Costs with Archived Metrics!
What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...
New in Observability Cloud - Explicit Bucket Histograms
Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...
