Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does outputlookup gives a different _time column compared to "export", in a .csv file?

rosho
Communicator
‎06-07-2019 01:18 PM

Hi
I used SPL to get the number of logins by the hour for 1 month. The goal is to later import them into python using pandas.
But I am having problems understanding the "_time" column.

This is what I see in Splunk's SPL search result:
alt text

But when I export it into .csv, I see: 

                      _time   Logins
2019-05-01T00:00:00.000-0400    3735
2019-05-01T01:00:00.000-0400    4665
2019-05-01T02:00:00.000-0400    5860
2019-05-01T03:00:00.000-0400    5184
2019-05-01T04:00:00.000-0400    5324
2019-05-01T05:00:00.000-0400    5523
2019-05-01T06:00:00.000-0400    8863
2019-05-01T07:00:00.000-0400    12493

And when I use "outpulookup" to create the .csv, I see: 

   _time    logins  _span
1556683200  3735    3600
1556686800  4665    3600
1556690400  5860    3600
1556694000  5184    3600
1556697600  5324    3600
1556701200  5523    3600
1556704800  8863    3600
1556708400  12493   3600

The SPL to get the search results are:

index=fortigate status=logon
|timechart span=1h count(status) as logins

Thank you

Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martynoconnor
Communicator
‎06-07-2019 01:21 PM

When you export to csv, Splunk is showing literally what you see in the search results, when you do outputlookup, Splunk is inserting the value for _time that the field normally has, which is an epoch time. Splunk treats _time as a special field and so will automatically convert epoch to human readable in the UI. That's why it looks different when you compare the two searches. One is deliberately meant to be human readable, the other is meant to be readable by Splunk.

View solution in original post

Reply
Solved! Jump to solution
Solution

martynoconnor
Communicator
‎06-07-2019 01:21 PM

When you export to csv, Splunk is showing literally what you see in the search results, when you do outputlookup, Splunk is inserting the value for _time that the field normally has, which is an epoch time. Splunk treats _time as a special field and so will automatically convert epoch to human readable in the UI. That's why it looks different when you compare the two searches. One is deliberately meant to be human readable, the other is meant to be readable by Splunk.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...