Solved: How do I include leading 0 in the time fields

digital_alchemy · ‎05-09-2013

I would like to combine the date_hour, date_minute and date_second fields to display in the following format when using the top command: hh:mm:ss

The problem I'm having is that the output will remove any leading zeros from the minutes; so, for example instead of 12:05:02 I get 12:5:2.

This how I'm currently combining the fields:

mysearch | eval time = date_hour.":".date_minute.":".date_second | top time,src,src_port,dest,dest_port

bmacias84 · ‎05-09-2013

The best way if possible is to convert or use epoch time with in your search. Then use strftime eval funtion to convert to the desired format.



eval time = strftime(epoch,%H:%M:%S)

additional reading:

Hope this help or gets you started. Dont forget to vote and accept answer that help.

Cheers

bmacias84 · ‎05-09-2013

The best way if possible is to convert or use epoch time with in your search. Then use strftime eval funtion to convert to the desired format.



eval time = strftime(epoch,%H:%M:%S)

additional reading:

Hope this help or gets you started. Dont forget to vote and accept answer that help.

Cheers

How do I include leading 0 in the time fields