DateTime Format for search result - Splunk Community

Splunk Search

index=db_apps_digital host=hst1* OR host=hst2* NOT host=hst5 NOT host=hst6 sourcetype="API.CMC-too_small" 
 | stats count latest(Timestamp) as latestTime by Properties.Message, Level
 | eval latestTime=strftime(latestTime,"%Y-%m-%d") 
 | sort Level, -count
 | head 10

I have got my search result to return the expected results. Giving me the count of the events with the latest date time shown.

Using the above eval causes the latestTime column to return blank values.

I now need to format the date time of the search result
from 2018-09-19T21:47:31.0043487+02:00
to 2018-09-19 21:47:31.

@rossboss1989,

Try changing the time to epoch and convert back eval latestTime=strftime(strptime(latestTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")

 index=db_apps_digital host=hst1* OR host=hst2* NOT host=hst5 NOT host=hst6 sourcetype="API.CMC-too_small" 
  | stats count latest(Timestamp) as latestTime by Properties.Message, Level
  | eval latestTime=strftime(strptime(latestTime,"%Y-%m-%dT%H:%M:%S.%N%z") ,"%Y-%m-%d %H:%M:%S")
  | sort Level, -count
  | head 10

You may adjust the time format according to your requirements.

---
What goes around comes around. If it helps, hit it with Karma 🙂

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Tiling

This puzzle (first published here) is based on finding groups of tessellated tiles (inspired by floor tiles I ...

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Thursday, July 9, 2026 | 11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...