topic Re: How to splunk search to get time only from date time? in Splunk Search

How to splunk search to get time only from date time?

sekhar463 — Thu, 19 Oct 2023 13:01:47 GMT

hi All,

can you help with splunk search to get time only from date time.

example as 2022/11/28 17:00:00 want to get only time 17:00

Re: splunk search to get time only from date time.

gcusello — Wed, 30 Nov 2022 12:01:33 GMT

Hi @sekhar463,

you have to use the eval command with the strftime funtion, something like this:

<your_search> | eval NEW_START_TIME=strftime(START_TIME,"%H:$M")

Ciao.

Giuseppe

Re: splunk search to get time only from date time.

sekhar463 — Wed, 30 Nov 2022 13:10:26 GMT

hai Thanks for your response.

i am using below query but not getting field values for NEW_START_TIME

index=main sourcetype=autosys_CRD
|eval NEW_START_TIME=strftime(START_TIME,"%H:$M")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

@gcusello

Re: splunk search to get time only from date time.

gcusello — Wed, 30 Nov 2022 13:16:29 GMT

Hi @sekhar463,

sorry I did a mistyping, please try this:

index=main sourcetype=autosys_CRD |eval NEW_START_TIME=strftime(START_TIME,"%H:%M") | table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

Ciao.

Giuseppe

Re: splunk search to get time only from date time.

sekhar463 — Wed, 30 Nov 2022 13:19:27 GMT

still the same empty values for the field values

Re: splunk search to get time only from date time.

gcusello — Wed, 30 Nov 2022 13:24:40 GMT

Hi @sekhar463,

sorry ! I forgot that you START_TIME isn't in epochtime,

please try this:

index=main sourcetype=autosys_CRD | eval NEW_START_TIME=strftime(strptime(START_TIME,"%Y/%m/%d %H:%M:%S"),"%H:%M") | table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

you could also try:

index=main sourcetype=autosys_CRD | eval NEW_START_TIME=substr(START_TIME,10,5) | table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

Ciao.

Giuseppe

Re: How to splunk search to get time only from date time?

sekhar463 — Thu, 19 Oct 2023 13:18:06 GMT

Hi I am trying to calculate SLA breach based on the below job START_TIME and END_TIME

need help on search query to get below scenario.

in below job actual start time was 4:30 but it was started at 4:50

Re: How to splunk search to get time only from date time?

sekhar463 — Thu, 19 Oct 2023 13:17:32 GMT

HI gcusello

I am using below query to calculate if job started on time or not based on actual start time and job start time, the eval condition is not working as i am comparing the time with actual_start time with job start by time

please help if job not started time not matching with actual time then it result is late

and start time is equal to actual start time is the result will be on_time

so how can i create these 2 fields based on these

index=main sourcetype=TEST
| eval Job_start_by=strftime(strptime(START_TIME,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| eval SLA=IF(Job_start_by="ACTUAL_START_TIME","1.ON-TIME",IF(Job_start_by>"ACTUAL_START_TIME","2.LATE")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,Job_start_by