- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Help on SystemTime format and SystemTime stats
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help on SystemTime format and SystemTime stats
Hi
I use the search below but SystemTime doesnt return results
SystemTime format is like this : '2019-03-25T03:49:42.458421900Z'
What is the issue please?
index="x" sourcetype=x (EventCode=6005 OR EventCode=6006)
| eval SystemTime=strftime(strptime(SystemTime, "%Y-%m-%dT%H:%M:%S.%9Q%Z"), "%y-%m-%d %H:%M")
| table host SystemTime
I also want to stats in a table the latest SystemTime for EventCode=6005 and the latest SystemTime for EventCode=6006)
Something like this :
| stats latest(6005) as LastLogon, latest(6006) as LastReboot by host
| sort -LastLogon -LastReboot
Could you help me please??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you run below query, does the value shown in the table has single quotes in them?
index="x" sourcetype=x (EventCode=6005 OR EventCode=6006)
| table host SystemTime
For your second requirement, try like this
index="x" sourcetype=x (EventCode=6005 OR EventCode=6006)
| stats latest(SystemTime) as SystemTime by host EventCode
| xyseries host EventCode SystemTime | rename "6005" as LastLogon "6006" as LastReboot
| sort -LastLogon -LastReboot
Update - working solution for time conversion
index="x" sourcetype=x (EventCode=6005 OR EventCode=6006)
| eval SystemTime=strftime(strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'"), "%y-%m-%d %H:%M")
| table host SystemTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes there is single quote
I have changed it in my eval but it doesnt works....
Thanks for the second requirement its good
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try (single quotes are added to strptime function time format)
index="x" sourcetype=x (EventCode=6005 OR EventCode=6006)
| eval SystemTime=strftime(strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'"), "%y-%m-%d %H:%M")
| table host SystemTime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I dont know why but i cant accept your answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I converted my comments to answer now. You should be able to close it now.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
perfect it works!! thanks
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
