In my current timestamp filed .
I Have a value like 2015-06-11-083912216431
I need the value like 08:39:12
The above mentioned value are in the format of H:M:S
Thanks in advance.
I would convert to time first:
some search | eval MyUNIXTime=strptime(Timestamp,"%Y-%m-%d-%H%M%S%6N") | eval MyTime=strftime(MyUNIXTime,"%T")
Where Timestamp is the field containing your original time string.
With SED it can be done like this
your base search giving field Timestamp | rex field=Timestamp mode=sed "s/(\d+-\d+-\d+)-(\d{2})(\d{2})(\d{2})(.*)/\1 \2:\3:\4/g"
Do you want to change the Timestamp format at search time OR index time?
Here is one way. It may be more efficient to use sed, but someone more experienced with sed will have to answer that.
... | rex field=ts "(?P<date>\d{4}-\d{1,2}-\d{1,2})-(?<hour>\d\d)(?P<minute>\d\d)(?P<seconds>\d\d)(?P<subseconds>\d{0,6})" | eval ts=date.":".hour.":".minute.":".seconds.".".subseconds | ...