Splunk Search

Every timespan of transaction need time format

Manasi25
Explorer

hello,

 

I have alert transaction at "ACK" and at "Resolved", i have created table for each value, but unable to edit time format of each. Please help. Please find attached image for reference.

Current Output- 

857415piyush.moorjani piyush.moorjani2021-08-25T01:57:26Z 2021-08-25T01:58:47Z
ACKED
RESOLVED

 

need time format of third col.

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You appear to be making a 5 hour adjustment to times elsewhere in the search so you could do the same here

| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S")-18000,"%d/%m/%Y %H:%M:%S"))

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Are these multi-value fields? If so, have you tried mvmap to format each value?

0 Karma

Manasi25
Explorer

Hi,

 

No i haven't use mvmap for this.

These are multi- value fields from same field called transitions{}.at

858681mike.dowling
mike.dowling
2021-08-25T14:44:00Z
2021-08-25T14:53:40Z
ACKED
RESOLVED
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults 
| eval _raw="858681,mike.dowling|mike.dowling,2021-08-25T14:44:00Z|2021-08-25T14:53:40Z,ACKED|RESOLVED"
| eval _raw=split(_raw,",")
| eval incident=mvindex(_raw,0)
| eval name=split(mvindex(_raw,1),"|")
| eval time=split(mvindex(_raw,2),"|")
| eval status=split(mvindex(_raw,3),"|")
| table incident name time status



| eval time=mvmap(time,strftime(strptime(time,"%Y-%m-%dT%H:%M:%S"),"%d/%m/%Y %H:%M:%S"))
0 Karma

Manasi25
Explorer

Hi @ITWhisperer 

I have multiple alerts of incidentNumber, user , ack time and resolved time.
 how can i sort my whole data as having lots of rows?

Manasi25_0-1629913791622.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You should probably extract the transitions array, mvexpand it into separate events, then extract the fields from transitions.

0 Karma

Manasi25
Explorer

i did mvexpand for this, i need time format for "TIME" col. PFB

 

Manasi25_0-1629939368230.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I have shown you how to reformat multi-value fields, but you also mentioned sort - what are you trying to sort by? Perhaps if you gave an example of the desired output, that might help. By the way, you haven't used mvexpand in the way I suggested, but without know what you are trying to achieve, it is hard to know whether what you have done is correct or not.

0 Karma

Manasi25
Explorer

hello

I want to time  format of column "TIME", i have formatted it, but resulting "NULL" output as these times are showing from single field called "transition{].at" and unable to do format of two values at a time into table.

  startTime: 2021-08-26T11:02:25Z
   transitions: [ [-]
     { [-]
       at2021-08-26T11:03:06Z
       byasma.sahbani
       nameACKED
     }
     { [-]
       at2021-08-26T11:12:58Z
       byasma.sahbani
       manuallytrue
       nameRESOLVED
     }

0 Karma

Manasi25
Explorer

hello

 

Any update on this?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Did you try the mvmap solution I proposed earlier? What were the results?

0 Karma

Manasi25
Explorer

here is result, it worked, but how can we use on my source type/index? 

Please help, i m just a beginner.

Manasi25_0-1632409789358.png

My data is below,

Manasi25_0-1632410051510.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK you field appears to be called TIME rather than time as in my example, so try

| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S"),"%d/%m/%Y %H:%M:%S"))
0 Karma

Manasi25
Explorer

Hello

It worked, but showing incorrect time of "ACK" alerts and it's skipping "Resolved" time in second row of single "incidentNumber".

Manasi25_0-1632445812736.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You appear to be making a 5 hour adjustment to times elsewhere in the search so you could do the same here

| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S")-18000,"%d/%m/%Y %H:%M:%S"))

Manasi25
Explorer

Thank you ! it worked.

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...