Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Add time in search string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add time in search string
Hi All,
i want to add time in search string.
My data is showing time 26-02-2018T02:00:00.000+0000, but while searching i want to add 11 hour , means it should create filter for time 27-02-2018T13:00:00.000+0000.
Also after this i also want to apply substring on time to just show dates.
i am using below one, but its not working.
index=XXXXXX source="XXXXXX" |eval host=add(Date,+11) | eval hostgroup=substr(Date,1,10) | stats count(Date) by hostgroup
Please help.
Vikash
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=XXXXXX source="XXXXXX" |eval date=strptime(CDate, "%d-%m-%Y %H:%M:%S.%3N%z") | eval date1=date+39600 | eval hostgroup =strftime(date1, "%d-%m-%Y") | stats count(CDate) by hostgroup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This may be helpful for you:
index=XXXXXX source="XXXXXX" |eval date=strftime(Date, "%d-%m-%Y %H:%M:%S.%3N%z") | eval date1=date+39600 | eval hostgroup =strptime(date1, "%d-%m-%Y") | stats count(date) by hostgroup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@p_gaurav
Thanks for your quick reply.
Query is not provding any output.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
can you tell me output of this:
index=XXXXXX source="XXXXXX" |eval date=strftime(_time, "%d-%m-%Y %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have too many date fields, out of which i want to create filter for one of the date field. i am not sure if _time will help here.
Below is the date field on which i need to execute the query.
CDate: 2018-02-27T03:55:28.000+0000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @p_gaurav
We are getting output 0 though we have non-zero value.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
