Dashboards & Visualizations
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: strftime empties stats-ed field
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
altink
Builder
11-23-2020
07:19 AM
Hi
after I try to format datetime field - it shows empty
index=_audit action=alert_fired ss_app=omega_core_audit
| convert ctime(trigger_time)
| eval Criticality = case(severity=1,"Info", severity=2, "Low", severity=3, "Medium", severity=4,"High", severity=5, "Critical", 1=1, severity)
| stats earliest(trigger_time) as min_time, latest(trigger_time) as max_time, count by ss_name Criticality
| eval min_time = strftime(min_time,"%Y-%m-%d %H:%M:%S")
field min_time returns NULL after I try to set format.
(max_time is OK - but without format)
please advise on how to correctly output the datetime fields with desired format
regards
Altin
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anilchaithu
Builder
11-23-2020
09:30 AM
strftime converts UNIX time to regualr readable time. From the SPL, the min_time & max_time are already converted in line 2 of the code. Simply you can remove line 2 OR you can add the following stanzas
| eval min_time = strftime(strptime(min_time,"%m/%d/%Y %H:%M:%S"),"%Y-%m-%d"))
| eval max_time = strftime(strptime(max_time,"%m/%d/%Y %H:%M:%S"),"%Y-%m-%d"))
-- Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
altink
Builder
12-11-2020
06:15 AM
even If I replace
line:
| eval min_time = strftime(min_time,"%Y-%m-%d %H:%M:%S")
with
| fieldformat min_time = strftime(min_time,"%Y-%m-%d %H:%M:%S")
still I get an empty min_time field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
altink
Builder
12-11-2020
05:57 AM
can anyone advise on this ?
regards
Altin
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
anilchaithu
Builder
11-23-2020
09:30 AM
strftime converts UNIX time to regualr readable time. From the SPL, the min_time & max_time are already converted in line 2 of the code. Simply you can remove line 2 OR you can add the following stanzas
| eval min_time = strftime(strptime(min_time,"%m/%d/%Y %H:%M:%S"),"%Y-%m-%d"))
| eval max_time = strftime(strptime(max_time,"%m/%d/%Y %H:%M:%S"),"%Y-%m-%d"))
-- Hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
altink
Builder
11-23-2020
11:08 AM
thank you
if I remove line 2 I get unix time only.
if I remove the two my last evals I get the default datime format - but what I need is a formated as below:
y-m-d H:M:S
your two proposed stanzas return NULL - with or without line 2
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
