Solved: Concat time field to include start to end of hour

benj851 · ‎06-18-2021

Hello;

I've tried a few ways, but have been unsuccessful in creating a _time field to include the datetime, and the end hour. Ex. 06/18/2021 08:00 - 08:59. I'd appreciate any assistance in getting there.

When concating, the time field converts to unix. Then I can't convert it back to CTIME.

Here's an example of the data pulled:

index=foo host=hostfoo sourcetype=sourcefoo
| bin span=1h _time
| table _time

_time

2021-06-18 08:00

Desired:

_time

2021-06-18 08:00 - 08:59

aasabatini · ‎06-18-2021

Hi @benj851

try like this

<your search>
| eval date=strftime(_time, "%Y/%m/%d %H:%M")
| eval hour=strftime(_time, "%H")
| eval timestamp=date." "."-"." ".hour.":"."59"

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

View solution in original post

aasabatini · ‎06-18-2021

Hi @benj851

try like this

<your search>
| eval date=strftime(_time, "%Y/%m/%d %H:%M")
| eval hour=strftime(_time, "%H")
| eval timestamp=date." "."-"." ".hour.":"."59"

“The answer is out there, Neo, and it’s looking for you, and it will find you if you want it to.”

benj851 · ‎06-18-2021

Perfect thank you.

Concat time field to include start to end of hour

scripted input

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Concat time field to include start to end of hour

scripted input

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...