- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Timechart with Convert Timeformat
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So i can build a timechart like this:
| timechart limit=3 span=1m count by host useother=F
But when I export the results the time format is not readable
How to I format the _time in Timechart or how do I create this kind of chart so that I can format or convert the _time
_time sys01 sys06 srv01 srv02
1334078460 3 2 2 3
1334078520 2 3 2 2
1334078580 3 2 3 3
1334078640 3 3 3 3
1334078700 2 3 2 2
1334078760 2 2 2 2
1334078820 2 2 2 2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try to convert after the timechart.
* | timechart span=1d count by source | convert timeformat=""%Y-%m-%d %H:%M:%S"" ctime(_time) AS date | sort _time | fields - _time | table date *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try to convert after the timechart.
* | timechart span=1d count by source | convert timeformat=""%Y-%m-%d %H:%M:%S"" ctime(_time) AS date | sort _time | fields - _time | table date *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@yannK , thanks for your input.
I'm not getting the exact time for the query.
For example: If I have a DateTime: 2019-12-19T15:03:20Z I see 2019-12-19T00:00:00Z
How can I get the exact DateTime for the event?
my query:
eventtype="xxxxxxx" state!=null xxxx="*" | timechart count by state | convert timeformat="%Y-%m-%dT%H:%M:%SZ" ctime(_time) AS DateTime | sort _time | fields - _time | table DateTime, *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ya Man this did it thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try
... | timechart limit=3 span=1m count by host useother=F | eval Time=strftime(_time,"%H:%M:%S") | table Time,*
Use of convert is considered deprecated, so the eval will accomplish the same thing, then table will reorder the columns.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Helpful description of the commands. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you try with | convert ctime(_time)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ya thanks I tried that first thing.
I tried | convert timeformat="%H:%M:%S" ctime(_time) AS Time | timechart limit=3 span=1m count by host useother=F
But I didn't know how to work in the "Time" veritable
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
