topic Re: Need help decuple only time from below record in Splunk Search

Need help decuple only time from below record

bhaskar5428 — Thu, 04 Apr 2024 10:23:00 GMT

My apologies

i was using "eventTimestamp" instead of "@timestamp" in my rex command

i just realized and its working now , However i do not need date in last column need only time.
Please help how to do that.

please find below details

================================================================================

Query

index=* namespace="dk1017-j" sourcetype="kube:container:kafka-clickhouse-snapshot-writer" message="*Snapshot event published*" AND message="*dbI-LDN*" AND message="*2024-04-03*" AND message="*"
|fields message
|rex field=_raw "\s+date=(?<BusDate>\d{4}-\d{2}-\d{2})"
|rex field=_raw "sourceSystem=(?<Source>[^,]*)"
|rex field=_raw "entityType=(?<Entity>\w+)"
|rex field=_raw "\"@timestamp\":\"(?<Time>\d{4}-\d{2}-\d{2}[T]\d{2}:\d{2})" --> Please help Here
|sort Time desc
|dedup Entity
|table Source, BusDate, Entity, Time

================================================================================

Screenshot

-------------------------------------------------------------------------------------------

raw data

{"@timestamp":"2024-04-04T02:25:59.366Z","level":"INFO","message":"Snapshot event published: SnapshotEvent(version=SnapshotVersion(sourceSystem=dbI-LDN, entityType=ACCOUNT, subType=, date=2024-04-03, version=1, snapshotSize=326718, uuid=8739e273-cedc-482b-b696-48357efc8704, eventTimestamp=2024-04-04T02:24:52.762129638), status=CREATED)","thread":"snapshot-checker-3","loggerName":"com.db.sdda.dc.kafka.snapshot.writer.InternalEventSender"}

Show syntax highlighted

Need only time 02:25:59 AM/PM in last column

Re: Need help decuple only time from below record

ITWhisperer — Thu, 04 Apr 2024 10:27:31 GMT

|rex field=_raw "\"@timestamp\":\"\d{4}-\d{2}-\d{2}T(?<Time>\d{2}:\d{2})"

Re: Need help decuple only time from below record

bhaskar5428 — Thu, 04 Apr 2024 10:45:13 GMT

is there way to add AM OR PM according to time.

Re: Need help decuple only time from below record

ITWhisperer — Thu, 04 Apr 2024 11:50:19 GMT

Yes, extract the full timestamp (including the date), then parse it with strptime() into an epoch time value (number of seconds since 1970), then format it with strftime() using the relevant time variables

Date and time format variables - Splunk Documentation

Re: Need help decuple only time from below record

bhaskar5428 — Fri, 05 Apr 2024 04:50:05 GMT

Appreciate if you can share some example .

Re: Need help decuple only time from below record

ITWhisperer — Fri, 05 Apr 2024 08:34:00 GMT

Assuming your ingest has already parsed your timestamp into the _time field, then you can just format that to get the time

| eval Time=strftime(_time, "%I:%M %p")