hello,
I have alert transaction at "ACK" and at "Resolved", i have created table for each value, but unable to edit time format of each. Please help. Please find attached image for reference.
Current Output-
857415 | piyush.moorjani piyush.moorjani | 2021-08-25T01:57:26Z 2021-08-25T01:58:47Z | ACKED RESOLVED |
need time format of third col.
You appear to be making a 5 hour adjustment to times elsewhere in the search so you could do the same here
| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S")-18000,"%d/%m/%Y %H:%M:%S"))
Are these multi-value fields? If so, have you tried mvmap to format each value?
Hi,
No i haven't use mvmap for this.
These are multi- value fields from same field called transitions{}.at
858681 | mike.dowling mike.dowling | 2021-08-25T14:44:00Z 2021-08-25T14:53:40Z | ACKED RESOLVED |
| makeresults
| eval _raw="858681,mike.dowling|mike.dowling,2021-08-25T14:44:00Z|2021-08-25T14:53:40Z,ACKED|RESOLVED"
| eval _raw=split(_raw,",")
| eval incident=mvindex(_raw,0)
| eval name=split(mvindex(_raw,1),"|")
| eval time=split(mvindex(_raw,2),"|")
| eval status=split(mvindex(_raw,3),"|")
| table incident name time status
| eval time=mvmap(time,strftime(strptime(time,"%Y-%m-%dT%H:%M:%S"),"%d/%m/%Y %H:%M:%S"))
Hi @ITWhisperer
I have multiple alerts of incidentNumber, user , ack time and resolved time.
how can i sort my whole data as having lots of rows?
You should probably extract the transitions array, mvexpand it into separate events, then extract the fields from transitions.
i did mvexpand for this, i need time format for "TIME" col. PFB
I have shown you how to reformat multi-value fields, but you also mentioned sort - what are you trying to sort by? Perhaps if you gave an example of the desired output, that might help. By the way, you haven't used mvexpand in the way I suggested, but without know what you are trying to achieve, it is hard to know whether what you have done is correct or not.
hello
I want to time format of column "TIME", i have formatted it, but resulting "NULL" output as these times are showing from single field called "transition{].at" and unable to do format of two values at a time into table.
startTime: 2021-08-26T11:02:25Z
transitions: [ [-]
{ [-]
at: 2021-08-26T11:03:06Z
by: asma.sahbani
name: ACKED
}
{ [-]
at: 2021-08-26T11:12:58Z
by: asma.sahbani
manually: true
name: RESOLVED
}
hello
Any update on this?
Did you try the mvmap solution I proposed earlier? What were the results?
here is result, it worked, but how can we use on my source type/index?
Please help, i m just a beginner.
My data is below,
OK you field appears to be called TIME rather than time as in my example, so try
| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S"),"%d/%m/%Y %H:%M:%S"))
Hello
It worked, but showing incorrect time of "ACK" alerts and it's skipping "Resolved" time in second row of single "incidentNumber".
You appear to be making a 5 hour adjustment to times elsewhere in the search so you could do the same here
| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S")-18000,"%d/%m/%Y %H:%M:%S"))