Solved: Re: Change _Time to another field on a Single Quer...

erog · ‎09-30-2021

Hello,

I need to find a way to use another field for _Time on a single query (I don't want to change props just for 1 query)

Sample Time:

2021-06-19T04:15:59.845Z

I've tried several strptime I've seen in other questions but to no avail. I did get one to format previously for a table format using the following

| eval SeenTimeStringConverted=strftime(strptime(Time,"%Y-%m-%dT%H:%M:%S.%6N"),"%m/%d/%Y %H:%M:%S %p")

Here's my query I've been working on.

sourcetype="aws:cloudwatchlogs:securityhub" "CIS" "detail.findings{}.Compliance.Status"!=NULL | rename "detail.findings{}.FirstObservedAt" as Time | eval _time=strptime(Time,"%Y-%m-%dT%H:%M:%S.%6N") | timechart count by "detail.findings{}.Compliance.Status"

PickleRick · ‎09-30-2021

| makeresults 
| eval Time="2021-06-19T04:15:59.845Z" 
| eval _time=strptime(Time,"%Y-%m-%dT%H:%M:%S.%N%Z")

View solution in original post

PickleRick · ‎09-30-2021

| makeresults 
| eval Time="2021-06-19T04:15:59.845Z" 
| eval _time=strptime(Time,"%Y-%m-%dT%H:%M:%S.%N%Z")

Change _Time to another field on a Single Query

timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation