topic Why is strptime and strftime command not working as expected? in Splunk Search

Why is strptime and strftime command not working as expected?

monyathomas — Fri, 28 Jun 2019 09:27:43 GMT

I have two "Survey Type" - 'a' and 'b' and I need to display their count based on the"Survey Complete" data.
Note - The Survey Complete date is in the format MM/DD/YYYY HH:MM format but I need to display it as MM-YYYY format . How do I reframe the below query to get the expected output mentioned above.

index="xyz"
| eval FIELD=strptime("Survey Complete","%m/%d/%Y %H:%M")
| eval DesiredTime=strftime(FIELD,"%Y-%m-%d")
| chart count over "Survey Complete" by "Survey Type"

Re: Why is strptime and strftime command not working as expected?

richgalloway — Fri, 28 Jun 2019 12:29:42 GMT

You don't say what unexpected output you get, but your query doesn't match your question so that could be it.

Try this:

index="xyz" 
| eval FIELD=strptime("Survey Complete","%m/%d/%Y %H:%M") 
| eval DesiredTime=strftime(FIELD,"%m-%Y")
| chart count over "Survey Complete" by "Survey Type"

You can also use a single eval:

index="xyz" 
| eval DesiredTime=strftime(strptime("Survey Complete","%m/%d/%Y %H:%M"), "%m-%Y)
| chart count over "Survey Complete" by "Survey Type"