topic Every timespan of transaction need time format in Splunk Search

Every timespan of transaction need time format

Manasi25 — Wed, 25 Aug 2021 02:26:40 GMT

hello,

I have alert transaction at "ACK" and at "Resolved", i have created table for each value, but unable to edit time format of each. Please help. Please find attached image for reference.

Current Output-

857415

piyush.moorjani piyush.moorjani

2021-08-25T01:57:26Z 2021-08-25T01:58:47Z

ACKED

RESOLVED

need time format of third col.

Re: Every timespan of transaction need time format

ITWhisperer — Wed, 25 Aug 2021 09:56:51 GMT

Are these multi-value fields? If so, have you tried mvmap to format each value?

Re: Every timespan of transaction need time format

Manasi25 — Wed, 25 Aug 2021 15:01:49 GMT

Hi,

No i haven't use mvmap for this.

These are multi- value fields from same field called transitions{}.at

858681

mike.dowling
mike.dowling

2021-08-25T14:44:00Z
2021-08-25T14:53:40Z

ACKED

RESOLVED

Re: Every timespan of transaction need time format

ITWhisperer — Wed, 25 Aug 2021 16:19:35 GMT

Re: Every timespan of transaction need time format

Manasi25 — Wed, 25 Aug 2021 17:50:30 GMT

Hi @ITWhisperer

I have multiple alerts of incidentNumber, user , ack time and resolved time.
how can i sort my whole data as having lots of rows?

Re: Every timespan of transaction need time format

ITWhisperer — Wed, 25 Aug 2021 18:08:37 GMT

You should probably extract the transitions array, mvexpand it into separate events, then extract the fields from transitions.

Re: Every timespan of transaction need time format

Manasi25 — Thu, 26 Aug 2021 00:56:26 GMT

i did mvexpand for this, i need time format for "TIME" col. PFB

Re: Every timespan of transaction need time format

ITWhisperer — Thu, 26 Aug 2021 06:22:15 GMT

I have shown you how to reformat multi-value fields, but you also mentioned sort - what are you trying to sort by? Perhaps if you gave an example of the desired output, that might help. By the way, you haven't used mvexpand in the way I suggested, but without know what you are trying to achieve, it is hard to know whether what you have done is correct or not.

Re: Every timespan of transaction need time format

Manasi25 — Thu, 26 Aug 2021 12:03:23 GMT

hello

I want to time format of column "TIME", i have formatted it, but resulting "NULL" output as these times are showing from single field called "transition{].at" and unable to do format of two values at a time into table.

  startTime: 2021-08-26T11:02:25Z
   transitions: [ [-]
     { [-]
       at: 2021-08-26T11:03:06Z
       by: asma.sahbani
       name: ACKED
     }
     { [-]
       at: 2021-08-26T11:12:58Z
       by: asma.sahbani
       manually: true
       name: RESOLVED
     }

Re: Every timespan of transaction need time format

Manasi25 — Wed, 08 Sep 2021 11:17:04 GMT

hello

Any update on this?

Re: Every timespan of transaction need time format

ITWhisperer — Wed, 08 Sep 2021 11:28:02 GMT

Did you try the mvmap solution I proposed earlier? What were the results?

Re: Every timespan of transaction need time format

Manasi25 — Thu, 23 Sep 2021 15:14:30 GMT

here is result, it worked, but how can we use on my source type/index?

Please help, i m just a beginner.

My data is below,

Re: Every timespan of transaction need time format

ITWhisperer — Thu, 23 Sep 2021 15:53:19 GMT

OK you field appears to be called TIME rather than time as in my example, so try

| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S"),"%d/%m/%Y %H:%M:%S"))

Re: Every timespan of transaction need time format

Manasi25 — Fri, 24 Sep 2021 01:10:30 GMT

Hello

It worked, but showing incorrect time of "ACK" alerts and it's skipping "Resolved" time in second row of single "incidentNumber".

Re: Every timespan of transaction need time format

ITWhisperer — Fri, 24 Sep 2021 06:11:52 GMT

You appear to be making a 5 hour adjustment to times elsewhere in the search so you could do the same here

| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S")-18000,"%d/%m/%Y %H:%M:%S"))

Re: Every timespan of transaction need time format

Manasi25 — Tue, 28 Sep 2021 11:12:25 GMT

Thank you ! it worked.