Re: DateTime Format for search result

rossboss1989 · ‎09-19-2018

index=db_apps_digital host=hst1* OR host=hst2* NOT host=hst5 NOT host=hst6 sourcetype="API.CMC-too_small" 
 | stats count latest(Timestamp) as latestTime by Properties.Message, Level
 | eval latestTime=strftime(latestTime,"%Y-%m-%d") 
 | sort Level, -count
 | head 10

I have got my search result to return the expected results. Giving me the count of the events with the latest date time shown.

Using the above eval causes the latestTime column to return blank values.

I now need to format the date time of the search result
from 2018-09-19T21:47:31.0043487+02:00
to 2018-09-19 21:47:31.

renjith_nair · ‎09-19-2018

@rossboss1989,

Try changing the time to epoch and convert back eval latestTime=strftime(strptime(latestTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")

 index=db_apps_digital host=hst1* OR host=hst2* NOT host=hst5 NOT host=hst6 sourcetype="API.CMC-too_small" 
  | stats count latest(Timestamp) as latestTime by Properties.Message, Level
  | eval latestTime=strftime(strptime(latestTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")
  | sort Level, -count
  | head 10

You may adjust the time format according to your requirements.

---
What goes around comes around. If it helps, hit it with Karma 🙂

DateTime Format for search result

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

DateTime Format for search result

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits