Getting Data In

How do I strip out part of the timestamp so I only get the date?

mctester
Communicator

I am trying to build a report where I want to summarize the number of events for an entire year by day sorting by host tags. The issue I am having is how to break the data apart in my search to search the date based only on the month day and year and ignore the timestamp portion. I see that the date is broken apart into fields but I cannot figure out how to concatenate the filed parts into a single field. I am trying to do something similar to a ANSI SQL date part function.

Tags (1)
0 Karma

sideview
SplunkTrust
SplunkTrust

This is probably too simple an observation but just in case.
"trying to build a report where I want to summarize the number of events for an entire year by day sorting by host tags" is a relatively simple thing to do.
And it makes me think you just want a report of events by day, broken out per host tag. You wouldnt need convert or eval to do that, it would just be:

<your search> | timechart span=1d count by hosttag

run that search over the 'year to date' option in the TimeRangePicker (under 'Other')

This will give you a table where each row is a day, each column across the top is a host tag, and each cell is the count of events for that host tag on that day.

by default timechart will only give you the top 10 hosttags, but you can throw a limit argument in there to raise it.

gkanapathy
Splunk Employee
Splunk Employee

If you are searching, you can search on the date_year and date_mday fields in your search. For display purposes, you can use the convert search and strftime() functions after you have search results.

0 Karma

Lowell
Super Champion

In 4.1 you can also use the strftime eval command like so:

<search_terms> | eval Time=strftime(_time,"%m/%d/%y")

If you need backwards compatibility with 4.0 or want to convert multiple times as once that going with convert make the most sense. Otherwise I feel like the eval approach is slightly easier to understand.

0 Karma

Mick
Splunk Employee
Splunk Employee

How does this work for you?

<search_terms> | convert ctime(_time) as Time timeformat=%m/%d/%y 

This should give you a new field called 'Time' with the format close to the way you want it. You can also play around with the 'timeformat' to get it to display differently.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...