DateTime Format for search result - Splunk Community

Splunk Search

index=db_apps_digital host=hst1* OR host=hst2* NOT host=hst5 NOT host=hst6 sourcetype="API.CMC-too_small" 
 | stats count latest(Timestamp) as latestTime by Properties.Message, Level
 | eval latestTime=strftime(latestTime,"%Y-%m-%d") 
 | sort Level, -count
 | head 10

I have got my search result to return the expected results. Giving me the count of the events with the latest date time shown.

Using the above eval causes the latestTime column to return blank values.

I now need to format the date time of the search result
from 2018-09-19T21:47:31.0043487+02:00
to 2018-09-19 21:47:31.

@rossboss1989,

Try changing the time to epoch and convert back eval latestTime=strftime(strptime(latestTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")

 index=db_apps_digital host=hst1* OR host=hst2* NOT host=hst5 NOT host=hst6 sourcetype="API.CMC-too_small" 
  | stats count latest(Timestamp) as latestTime by Properties.Message, Level
  | eval latestTime=strftime(strptime(latestTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")
  | sort Level, -count
  | head 10

You may adjust the time format according to your requirements.

---
What goes around comes around. If it helps, hit it with Karma 🙂

Get Updates on the Splunk Community!

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

AI is one of the biggest topics in the market today, and for security teams, its value goes far beyond the ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

[REGISTER HERE] This thread is for the Community Office Hours session on Detection Engineering Office Hours: ...