Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

timechart time format change

gancw1
Explorer
‎01-13-2014 06:14 PM

I am trying to tabulate number of specific operation per day using this format

timechart span=1d count as DLCreateCount

How do I replace the _time value with a human readable time format ?

Tags (1)
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-18-2014 08:43 AM

I have the same problem and I cannon found a solution (also using 6.1.0.), I tried information from other answers but with no result:

I cannot use other commands because I need results in many columns, one for each User (timechart span=1w count by User)

inserting "|convert ctime(_time) as time" after the timechart command adds a column without replacing the _time column

inserting "|convert ctime(_time) as time" before the timechart command has no effect on the output

inserting "| fieldformat time=strftime(time,"%+")" before or after the timechart command I have this result for the time "0NaN-NaN-NaN NaN:NaN:NaN"

Anyone has an idea?

Thanks Giuseppe

Reply

3no
Communicator
‎04-03-2017 04:44 AM 
eval _time=strftime(_time,"%c")"
0 Karma
Reply

gancw1
Explorer
‎01-22-2014 12:11 AM

Thanks for the suggestion. I managed to get it in the format I want using this 

timechart span=1d count as DLCreateCount | convert ctime(_time) as time | table time DLCreateCount
Reply

jbrodsky_splunk
Splunk Employee
Splunk Employee
‎01-14-2014 10:39 AM

You could do something like this - an example of using strftime to pull out the name of the Day and then counting over the past seven days. In this case "_time" is replaced by Day. Play with strftime and the time range to get what you want.

... earliest=-7d@d latest=now |  bucket span=1d _time | eval Day=strftime(_time, "%u. %A") |  stats count as DLCreateCount by Day
0 Karma
Reply

linu1988
Champion
‎01-13-2014 07:49 PM

Hello,
There are many ways.

timechart ... |convert ctime(_time)

will do it as well. But in Splunk 6 you will get it automatically.

0 Karma
Reply

linu1988
Champion
‎01-14-2014 09:08 AM

No it replaces the same column where you have the time column.

0 Karma
Reply

gancw1
Explorer
‎01-14-2014 01:03 AM

this will create additional time column :

_time DLCreateCount Time

I would like to replace the _time with time

0 Karma
Reply

jsie_splunk
Splunk Employee
Splunk Employee
‎01-13-2014 06:19 PM

See if Ayn's answer here works for you: http://answers.splunk.com/answers/100969/how-to-format-timechart-time-values-easily

Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...