Splunk Search

Help on SystemTime format and SystemTime stats

jip31
Motivator

Hi

I use the search below but SystemTime doesnt return results
SystemTime format is like this : '2019-03-25T03:49:42.458421900Z'
What is the issue please?

index="x" sourcetype=x (EventCode=6005 OR EventCode=6006) 
| eval SystemTime=strftime(strptime(SystemTime, "%Y-%m-%dT%H:%M:%S.%9Q%Z"), "%y-%m-%d %H:%M") 
| table host SystemTime

I also want to stats in a table the latest SystemTime for EventCode=6005 and the latest SystemTime for EventCode=6006)
Something like this :

| stats latest(6005) as LastLogon, latest(6006) as LastReboot by host 
| sort -LastLogon -LastReboot

Could you help me please??

Tags (1)
0 Karma

somesoni2
Revered Legend

When you run below query, does the value shown in the table has single quotes in them?

index="x" sourcetype=x (EventCode=6005 OR EventCode=6006) 
 | table host SystemTime

For your second requirement, try like this

index="x" sourcetype=x (EventCode=6005 OR EventCode=6006) 
| stats latest(SystemTime) as SystemTime by host EventCode
| xyseries host EventCode SystemTime | rename "6005" as LastLogon "6006" as LastReboot
| sort -LastLogon -LastReboot

Update - working solution for time conversion

index="x" sourcetype=x (EventCode=6005 OR EventCode=6006) 
  | eval SystemTime=strftime(strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'"), "%y-%m-%d %H:%M") 
  | table host SystemTime
0 Karma

jip31
Motivator

yes there is single quote
I have changed it in my eval but it doesnt works....
Thanks for the second requirement its good

0 Karma

somesoni2
Revered Legend

Give this a try (single quotes are added to strptime function time format)

index="x" sourcetype=x (EventCode=6005 OR EventCode=6006) 
 | eval SystemTime=strftime(strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'"), "%y-%m-%d %H:%M") 
 | table host SystemTime
0 Karma

jip31
Motivator

I dont know why but i cant accept your answer

0 Karma

somesoni2
Revered Legend

I converted my comments to answer now. You should be able to close it now.

0 Karma

jip31
Motivator

perfect it works!! thanks

0 Karma
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

Splunk Developers: Go Beyond the Dashboard with These .Conf25 Sessions

  Whether you’re building custom apps, diving into SPL2, or integrating AI and machine learning into your ...

Index This | How do you write 23 only using the number 2?

July 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...