I have a search outputting results which includes a field for 'closedtime'. On occasion however this field will be blank. When this occurs, how do I fill this field with the current time?
Appreciate any help!
Try this -
| eval closedtime=if(isnull(closedtime) OR len(closedtime)==0,strftime(now(),"%F %T %Z"),closedtime)
Try this -
| eval closedtime=if(isnull(closedtime) OR len(closedtime)==0,strftime(now(),"%F %T %Z"),closedtime)
Seems to work, would you mind explaining the logic behind it? Not sure I fully understand how its working!?
The if condition check if the value of the field closedtime
is either null OR blank (length is 0), if it is, use the current time given in epoch format by function now()
and format it to string timestamp using strftime function. If it's neither null nor blank, use the value of field itself.
Great explanation, makes perfect sense. Thanks both.
Thanks @somesoni!
@jacqu3sy - You can modify the parameters to the strftime function to have the time format as you same as the closedtime values - http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables
Thats great, thanks.