Splunk Search

How to replace label "_time" with "time" coming in timecharts ?

ranjyotiprakash
Communicator

I have used timecharts in splunk app. But, in all the time-charts, When mouseover the time-chart, the info it is showing in the black box comes with "_time" label for time. I want to know how to replace the _time with time label. alt text

enter code here
<view template="dashboard.html" stylesheet="dashboard.css">




*
False
1


dashboard


True
uname_setting
Unit Name :
test search


unit_name
unit_name



uname_setting

stringreplace


$target$



Last 60 minutes
True

sourcetype="access" |TR_unitname|where unit_name = "$unit_name$"| eval bandwidth=round(bytes_sent/1024,2)| timechart sum(bandwidth) | rename sum(bandwidth) AS "Bandwidth Consumed (in KB)"


Traffic Over Time
line
zero
Time
Bandwidth(in KB)
bottom

100%
360px


flashtimeline
true




    <module name="HiddenSearch" layoutPanel="panel_row2_col2" autoRun="True">
            <param name="search">sourcetype="firewall" Attack_Description!="NULL" |`WF_unitname`| where unit_name = "$unit_name$" | timechart count by Attack_Description</param>
            <module name="JobProgressIndicator"/>
            <module name="HiddenChartFormatter">
                    <param name="chartTitle">Attacks Over Time</param>
                    <param name="chart">column</param>
                    <param name="chart.stackMode">stacked</param>
                    <param name="primaryAxisTitle.text">Time</param>
                    <param name="secondaryAxisTitle.text">Count of Attacks</param>
                    <param name="legend.placement">bottom</param>
                    <module name="FlashChart">
                            <param name="width">100%</param>
                            <param name="height">360px</param>
                            <module name="ConvertToDrilldownSearch">
                                    <module name="ViewRedirector">
                                            <param name="viewTarget">flashtimeline</param>
                                            <param name="popup">true</param>
                                    </module>
                            </module>
                    </module>
            </module>
    </module>




I don't know how this _time is coming. I want to replace this _time with time.

Thanks !

1 Solution

Drainy
Champion

Just add a |rename _time as time to the end of your search string

View solution in original post

Drainy
Champion

Just add a |rename _time as time to the end of your search string

ranjyotiprakash
Communicator

hi smolcj,
the search you mentioned in the comment doesn't work at all.

Thanks for reply

0 Karma

ranjyotiprakash
Communicator

It's doing the change but changes the time and date format. But, I want to know why by default it is coming as _time on all the charts. But, when I create a report from the splunkweb UI it's coming as time ?
Thanks !

0 Karma

smolcj
Builder

|convert ctime(_time) as time

0 Karma

Drainy
Champion

add another | convert ctime(time) to the end 🙂

0 Karma

ranjyotiprakash
Communicator

Hi Drainy,

Piping "rename _time As time" changes the time format and then it's coming as unix Time
like 1355423400 in the chart.

Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...