Solved: Timechart with Convert Timeformat

hartfoml · ‎04-10-2012

So i can build a timechart like this:

| timechart limit=3 span=1m count by host useother=F

But when I export the results the time format is not readable
How to I format the _time in Timechart or how do I create this kind of chart so that I can format or convert the _time

_time sys01 sys06 srv01 srv02

1334078460 3 2 2 3

1334078520 2 3 2 2

1334078580 3 2 3 3

1334078640 3 3 3 3

1334078700 2 3 2 2

1334078760 2 2 2 2

1334078820 2 2 2 2

yannK · ‎07-24-2012

try to convert after the timechart.



 * | timechart span=1d count by source | convert timeformat=""%Y-%m-%d %H:%M:%S"" ctime(_time) AS date | sort _time | fields - _time | table date *

View solution in original post

yannK · ‎07-24-2012

try to convert after the timechart.



 * | timechart span=1d count by source | convert timeformat=""%Y-%m-%d %H:%M:%S"" ctime(_time) AS date | sort _time | fields - _time | table date *

pbankar · ‎12-23-2019

@yannK , thanks for your input.
I'm not getting the exact time for the query.
For example: If I have a DateTime: 2019-12-19T15:03:20Z I see 2019-12-19T00:00:00Z
How can I get the exact DateTime for the event?

hartfoml · ‎07-24-2012

Ya Man this did it thanks

tysonstewart · ‎04-10-2012

Try

... | timechart limit=3 span=1m count by host useother=F | eval Time=strftime(_time,"%H:%M:%S") | table Time,*

Use of convert is considered deprecated, so the eval will accomplish the same thing, then table will reorder the columns.

mikeydee77 · ‎01-06-2017

Helpful description of the commands. Thanks

MarioM · ‎04-10-2012

did you try with | convert ctime(_time)

hartfoml · ‎04-10-2012

Ya thanks I tried that first thing.

I tried | convert timeformat="%H:%M:%S" ctime(_time) AS Time | timechart limit=3 span=1m count by host useother=F

But I didn't know how to work in the "Time" veritable

Timechart with Convert Timeformat

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!