First, I read similar Question/Answers and was able to follow them for other time formats. These work well but didn't address the specific format my timestamp is in.
Use Case:
I have a field called "StartTime" and it has time in the following format: 2017-02-05T10:02:00.000-0800
I would like this to be converted for all fields so that when I table "StartTime" I get human readable format. I will be doing the same conversion for a field called "EndTime" which is in the same format.
Any help is appreciated.
It's already in human-readable format, but if you want to change the format try this:
... | fieldformat StartTime=strftime(strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N%z"), "%m-%d-%Y %H:%M %p") | fieldformat EndTime=strftime(strptime(EndTime,"%Y-%m-%dT%H:%M:%S.%3N%z"), "%m-%d-%Y %H:%M %p") | ...
It's already in human-readable format, but if you want to change the format try this:
... | fieldformat StartTime=strftime(strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N%z"), "%m-%d-%Y %H:%M %p") | fieldformat EndTime=strftime(strptime(EndTime,"%Y-%m-%dT%H:%M:%S.%3N%z"), "%m-%d-%Y %H:%M %p") | ...
This is actually along the lines of what I was trying initially. When I use fieldformat with strf and strp it removes all data from that field when I table it.
index="my_index"
| dedup key
| search key!=""
| fieldformat "StartTime"=strftime(strptime("StartTime","%Y-%m-%dT%H:%M:%S.%3N%z"), "%m-%d-%Y %H:%M %p")
| table key Summary StartTime
Results in StartTime being empty within the table.
Get rid of your quotes
|stats count | fields - count | eval StartTime="2017-02-05T10:02:00.000-0800"
| fieldformat StartTime=strftime(strptime(StartTime,"%Y-%m-%dT%H:%M:%S.%3N%z"),"%m-%d-%Y %H:%M %p")
| table StartTime
Doh. Always the little things. I appreciate the additional eyes.
What do you mean by human readable, can you provide an example of what you'd like the end result to look like
Something similar to "2-5-2017 10:02 AM" for the example listed above.