topic How do I strip out part of the timestamp so I only get the date? in Getting Data In

How do I strip out part of the timestamp so I only get the date?

mctester — Sat, 05 Jun 2010 04:13:41 GMT

I am trying to build a report where I want to summarize the number of events for an entire year by day sorting by host tags. The issue I am having is how to break the data apart in my search to search the date based only on the month day and year and ignore the timestamp portion. I see that the date is broken apart into fields but I cannot figure out how to concatenate the filed parts into a single field. I am trying to do something similar to a ANSI SQL date part function.

Re: How do I strip out part of the timestamp so I only get the date?

Mick — Sat, 05 Jun 2010 04:15:36 GMT

How does this work for you?

<search_terms> | convert ctime(_time) as Time timeformat=%m/%d/%y

This should give you a new field called 'Time' with the format close to the way you want it. You can also play around with the 'timeformat' to get it to display differently.

Re: How do I strip out part of the timestamp so I only get the date?

Lowell — Sat, 05 Jun 2010 04:27:45 GMT

In 4.1 you can also use the strftime eval command like so:

<search_terms> | eval Time=strftime(_time,"%m/%d/%y")

If you need backwards compatibility with 4.0 or want to convert multiple times as once that going with convert make the most sense. Otherwise I feel like the eval approach is slightly easier to understand.

Re: How do I strip out part of the timestamp so I only get the date?

gkanapathy — Sat, 05 Jun 2010 10:17:57 GMT

If you are searching, you can search on the date_year and date_mday fields in your search. For display purposes, you can use the convert search and strftime() functions after you have search results.

Re: How do I strip out part of the timestamp so I only get the date?

sideview — Sun, 06 Jun 2010 12:26:02 GMT

This is probably too simple an observation but just in case.
"trying to build a report where I want to summarize the number of events for an entire year by day sorting by host tags" is a relatively simple thing to do.
And it makes me think you just want a report of events by day, broken out per host tag. You wouldnt need convert or eval to do that, it would just be:

<your search> | timechart span=1d count by hosttag

run that search over the 'year to date' option in the TimeRangePicker (under 'Other')

This will give you a table where each row is a day, each column across the top is a host tag, and each cell is the count of events for that host tag on that day.

by default timechart will only give you the top 10 hosttags, but you can throw a limit argument in there to raise it.