Dashboards & Visualizations

Not getting correct time format in minutes

aditsss
Motivator

Hi All,

I have created below query:

search index="abc"sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" | rex "TRIM\.CNX(CTR)?\.(?<TRIM_ID>\w+)"
| transaction TRIM_ID startswith="Reading Control-File /absin/TRIM.CNXCTR." endswith="Completed Settlement file processing, TRIM.CNX."
|eval StartTime=min(_time)|eval EndTime=StartTime+duration|eval duration_min=floor(duration/60) |rename duration_min as TRIM.CNX_Duration| table StartTime EndTime TRIM.CNX_Duration| sort +StartTime +EndTime]| fieldformat ProcessingStartTime = strftime(ProcessingStartTime, "%F %T.%3N")| fieldformat ProcessingEndTime = strftime(ProcessingEndTime, "%F %T.%3N")| table starttime EndTime

I am not getting the correct time I am getting in below format:

start time - 1697809010.604

EndTime - 1697809075.170

I want it in this format:

StartTime - 2023-10-20 02:16:56.629

EndTime - 2023-10-20 02:19:57.554

Can someone help me here.

 

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| fieldformat StartTime = strftime(StartTime, "%F %T.%3N")
| fieldformat EndTime = strftime(EndTime, "%F %T.%3N")

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| fieldformat StartTime = strftime(StartTime, "%F %T.%3N")
| fieldformat EndTime = strftime(EndTime, "%F %T.%3N")
0 Karma

aditsss
Motivator

@ITWhisperer 

How can I put it in my query can you please guide.

0 Karma

aditsss
Motivator

@ITWhisperer 

I am using same in my query but not getting correct starttime and end time

query:

index="abc"sourcetype =600000304_gg_abs_ipc2 source="/amex/app/gfp-settlement-raw/logs/gfp-settlement-raw.log" | rex "TRIM\.CNX(CTR)?\.(?<TRIM_ID>\w+)"
| transaction TRIM_ID startswith="Reading Control-File /absin/TRIM.CNXCTR." endswith="Completed Settlement file processing, TRIM.CNX."
|eval StartTime=min(_time)|eval EndTime=StartTime+duration|eval duration_min=floor(duration/60) |rename duration_min as TRIM.CNX_Duration| table StartTime EndTime TRIM.CNX_Duration| sort +StartTime +EndTime| fieldformat ProcessingStartTime = strftime(ProcessingStartTime, "%F %T.%3N")| fieldformat ProcessingEndTime = strftime(ProcessingEndTime, "%F %T.%3N")

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try changing the fieldformat lines as I suggested

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...