I have a search outputting results which includes a field for 'closedtime'. On occasion however this field will be blank. When this occurs, how do I fill this field with the current time?
Appreciate any help!
The if condition check if the value of the field
closedtime is either null OR blank (length is 0), if it is, use the current time given in epoch format by function
now() and format it to string timestamp using strftime function. If it's neither null nor blank, use the value of field itself.
@jacqu3sy - You can modify the parameters to the strftime function to have the time format as you same as the closedtime values - http://docs.splunk.com/Documentation/Splunk/6.5.2/SearchReference/Commontimeformatvariables