DateTime Format for search result

rossboss1989 · ‎09-19-2018

index=db_apps_digital host=hst1* OR host=hst2* NOT host=hst5 NOT host=hst6 sourcetype="API.CMC-too_small" 
 | stats count latest(Timestamp) as latestTime by Properties.Message, Level
 | eval latestTime=strftime(latestTime,"%Y-%m-%d") 
 | sort Level, -count
 | head 10

I have got my search result to return the expected results. Giving me the count of the events with the latest date time shown.

Using the above eval causes the latestTime column to return blank values.

I now need to format the date time of the search result
from 2018-09-19T21:47:31.0043487+02:00
to 2018-09-19 21:47:31.

renjith_nair · ‎09-19-2018

@rossboss1989,

Try changing the time to epoch and convert back eval latestTime=strftime(strptime(latestTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")

 index=db_apps_digital host=hst1* OR host=hst2* NOT host=hst5 NOT host=hst6 sourcetype="API.CMC-too_small" 
  | stats count latest(Timestamp) as latestTime by Properties.Message, Level
  | eval latestTime=strftime(strptime(latestTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")
  | sort Level, -count
  | head 10

You may adjust the time format according to your requirements.

---
What goes around comes around. If it helps, hit it with Karma 🙂

DateTime Format for search result

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

DateTime Format for search result

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...