Archive

Changing date_hour format

Path Finder

Hi all,

I would like to use date_hour as part of the query. The result of date_hour showing 1,2,3....23. How can I change the format of date_hour to become e.g. 1 is 1:00 to 1:59, 20 is 20:00 to 20:59?

Thanks for your help in advance.

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

@krusovice, you can try the following

<yourcurrentsearch>
| eval date_hour=if(len(date_hour)==1,"0".date_hour.":00",date_hour.":00")
| sort date_hour

Following is a run anywhere search based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by date_hour
| eval date_hour=if(len(date_hour)==1,"0".date_hour.":00",date_hour.":00")
| sort date_hour
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

SplunkTrust
SplunkTrust

@krusovice, you can try the following

<yourcurrentsearch>
| eval date_hour=if(len(date_hour)==1,"0".date_hour.":00",date_hour.":00")
| sort date_hour

Following is a run anywhere search based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by date_hour
| eval date_hour=if(len(date_hour)==1,"0".date_hour.":00",date_hour.":00")
| sort date_hour
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Path Finder

Hi @niketnilay,

It's work fine to display 01:00, 02:00...etc. However my requirement is to able to display as "01:00 - 01:59", how can I achieve that?

0 Karma

SplunkTrust
SplunkTrust

Try the following then:

| eval date_hour=if(len(date_hour)==1,"0".date_hour.":00 - ".date_hour.":59",date_hour.":00 - ".date_hour.":59")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

Path Finder

Thank you so much for the answer, my result looking great now 🙂

0 Karma

SplunkTrust
SplunkTrust

Glad it worked 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma