I have 3 different time date fields in my logs with 2 being redundant and the other being a different measure.
Time_A= %m-%d-%y 00:00:00 (yes, there is no hour, minute, second recorded)
Time_B= %m-%d-%y 00:00:00 (again, yes)
Time_C= Minutes after midnight
Is there a simple way to convert Time_C to anything similar to %T (understanding that seconds will be truncated) and then have a join of Time_A and Time_C?
"TimeDate = Time_A + Time_C" in a format Splunk could read as a usable format is the prefered outcome.
First off, thank you all for taking the time to help out! I realize now that I could have been much more clear and informative with my question. I will attach a copy of a slightly edited version of my logs after going through the indexer:
2018-04-04 00:00:00.000, LoginHistory="11968096", Logon=" ", Action="1", Date="2018-04-04 00:00:00.0", Time="538", Terminal=" ", AudSID="508081017", User="18187", StationId="7797", Application="0", IsPINAttempt="0", AuditUser="18187", AuditStationId="7797"
Action = 1
Date = 2018-04-04 00:00:00.0
LoginHistory = 11968096
Logon =
Terminal =
Time = 538
host =
I am, likely obviously, new to Splunk. My overall objective is to have Splunk recognize event times as its own date time. I believe this variable is _time. It seems as though the suggested solution is to get my 'Time' field converted to seconds.
|makeresults count=3|eval duration='Time'*60|eval dateadded_epoch = strftime('Date',"%Y-%m-%d %H:%M:%S")|eval date_epoch = strptime('dateadded_epoch',"%Y-%m-%d %H:%M:%S") |eval date=date_epoch+duration | eval '_time' = strftime('date', "%Y-%m-%d %H:%M:%S")
This is what i think it should look like based on the suggestions but i have no idea how to apply that to the current index or if i am even using the right syntax.
try adding something like this:
|eval new_time=substr(Time_A,1,10)." ".tostring(Time_C*60,"duration")
it should grab the first 10 characters of your date in Time_A and calculate the duration for Time_C by converting the minutes to seconds and putting it into a duration format.
try somethign like this, if you want to see results in search time,
makeresults |eval time_A="04-31-2018 00:00:00"|eval time_C="12:01:50"|rex mode=sed field=time_A "s/00:00:00//g"|eval time_A=toString(time_1).toString(time_C)|table time_A
Hey@Riossr,
You can try this run anywhere command:
| makeresults count=3 |eval duration=60| eval dateadded_epoch = strftime('_time',"%Y-%m-%d %H:%M:%S")|eval date_epoch = strptime('dateadded_epoch',"%Y-%m-%d %H:%M:%S") |eval date=date_epoch+duration | eval date1 = strftime('date', "%Y-%m-%d %H:%M:%S")
You need to convert your Time_A to epoch and then add Time_C and then again convert to date.
That will help you use it in readable format
Let me know if this helps!!