topic Re: How do I create a time field? in Splunk Search

How do I create a time field?

danielbb — Thu, 19 Nov 2020 15:23:10 GMT

I have the EVENT_TIMESTAMP_UTC field with the values of -

2020-11-19 13:50:08.393085 2020-11-19 13:50:08.3517 2020-11-19 13:50:08.306023 2020-11-19 13:50:08.238995 2020-11-19 13:50:08.16885

I would like to create a new time field and treat the data as in the UTC time-zone.

Re: How do I create a time field?

to4kawa — Tue, 24 Nov 2020 23:23:50 GMT

| makeresults | eval EVENT_TIMESTAMP_UTC=split("2020-11-19 13:50:08.393085,2020-11-19 13:50:08.3517,2020-11-19 13:50:08.306023,2020-11-19 13:50:08.238995,2020-11-19 13:50:08.16885",",") | rename COMMENT as "the logic" | mvexpand EVENT_TIMESTAMP_UTC | rex field=EVENT_TIMESTAMP_UTC "(?<data>\d[\w\-: ]+)\.(?<msecond>\d+)" | eval msecond=printf("%06d",msecond) | eval EVENT_TIMESTAMP_UTC=strptime(data.msecond,"%F %T%6Q")

Re: How do I create a time field?

inventsekar — Wed, 25 Nov 2020 00:18:38 GMT

Great query @to4kawa ... i need to learn lot of stuff from your search queries!

but could you pls explain us the context here.. i got confused with this request... the question says "I have the EVENT_TIMESTAMP_UTC field"...
then why "treat the data as in the UTC time-zone" ?!?!

Re: How do I create a time field?

to4kawa — Wed, 25 Nov 2020 01:06:16 GMT

hi @inventsekar
I thought the log was JSON, so I started by making the multi-value to single.
We can use rex with max_match and do it all at once with mvmap.

If it was a single value, rex and eval are enough.