DateTime Format for search result

rossboss1989 · ‎09-19-2018

index=db_apps_digital host=hst1* OR host=hst2* NOT host=hst5 NOT host=hst6 sourcetype="API.CMC-too_small" 
 | stats count latest(Timestamp) as latestTime by Properties.Message, Level
 | eval latestTime=strftime(latestTime,"%Y-%m-%d") 
 | sort Level, -count
 | head 10

I have got my search result to return the expected results. Giving me the count of the events with the latest date time shown.

Using the above eval causes the latestTime column to return blank values.

I now need to format the date time of the search result
from 2018-09-19T21:47:31.0043487+02:00
to 2018-09-19 21:47:31.

renjith_nair · ‎09-19-2018

@rossboss1989,

Try changing the time to epoch and convert back eval latestTime=strftime(strptime(latestTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")

 index=db_apps_digital host=hst1* OR host=hst2* NOT host=hst5 NOT host=hst6 sourcetype="API.CMC-too_small" 
  | stats count latest(Timestamp) as latestTime by Properties.Message, Level
  | eval latestTime=strftime(strptime(latestTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")
  | sort Level, -count
  | head 10

You may adjust the time format according to your requirements.

---
What goes around comes around. If it helps, hit it with Karma 🙂

DateTime Format for search result

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

DateTime Format for search result

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine