Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Remove T ffrom the timestamp and find the different two different time column

ravir_jbp
Explorer
‎06-28-2024 01:26 AM

 

Able to get event output in table format. But looking for eval condition:

1. Remove T from the timestamp and convert the below UTC/GMT to EST and need this in YYYY-MM-DD HH:MM:SS

2. And need the time different between c_timestamp and c_mod and add the time difference in Timetaknen column.

 

Capture.JPG

Labels (1)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-28-2024 02:20 AM

Change your global time zone to be your local time zone e.g. EST.

To calculate differences in times you need to parse the strings to epoch format

| eval epoch_timestamp=strptime(c_timestamp,"%FT%T.%6N%z")
| eval local_timestamp=strftime(epoch_timestamp,"%F %T.%6N %Z")
| eval epoch_mod=strptime(c_mod,"%FT%T.%6N%z")
| eval local_mod=strftime(epoch_mod,"%F %T.%6N %Z")
| eval diff=epoch_mod-epoch_timestamp
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...