Splunk Search

Need to rename just one header

infra2sec
Path Finder

Hi,

I need to be able to change the _time column header to something else instead of just saying _time (I guess that you call it field?)
I have been trying to change it, but when I do I end up with missing data below the _time header or it reverts to a timestamp that isn't useable to the average human
.
I know that you all might want to alter the existing search, but I am not permitted to change the search very much at all for reasons beyond the scope of this post.

Here is what I have:

somecoolmacro sourcetype="123_blabla" | rex field=source "someplace\(?[\w\s-]*)" | dedup temp | table temp _time | rename temp as "Date of what I need to know" | fieldformat _time = strftime(_time, "%b %d, %Y")

Thanks in advance!!

P.S. The first part of the search was intended to be accent grave then somecoolmacro then accent grave

I am not sure why it did that.

Tags (1)
0 Karma
1 Solution

AlexeyNL
Explorer

Do you satisfy with solution from here https://answers.splunk.com/answers/1275/renaming-time-field-causes-an-unwanted-result.html?

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)

View solution in original post

infra2sec
Path Finder

Playing around with it, but it is giving me an extra column and slings an unwanted date column like before.

0 Karma

AlexeyNL
Explorer

Do you satisfy with solution from here https://answers.splunk.com/answers/1275/renaming-time-field-causes-an-unwanted-result.html?

| eval my_time=_time | convert timeformat="%Y-%m-%d" ctime(my_time)
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...