Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help on SystemTime format and SystemTime stats

jip31
Motivator
‎03-25-2019 06:27 AM

Hi

I use the search below but SystemTime doesnt return results
SystemTime format is like this : '2019-03-25T03:49:42.458421900Z'
What is the issue please?

index="x" sourcetype=x (EventCode=6005 OR EventCode=6006) 
| eval SystemTime=strftime(strptime(SystemTime, "%Y-%m-%dT%H:%M:%S.%9Q%Z"), "%y-%m-%d %H:%M") 
| table host SystemTime

I also want to stats in a table the latest SystemTime for EventCode=6005 and the latest SystemTime for EventCode=6006)
Something like this :

| stats latest(6005) as LastLogon, latest(6006) as LastReboot by host 
| sort -LastLogon -LastReboot

Could you help me please??

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎03-25-2019 07:10 AM

When you run below query, does the value shown in the table has single quotes in them?

index="x" sourcetype=x (EventCode=6005 OR EventCode=6006) 
 | table host SystemTime

For your second requirement, try like this

index="x" sourcetype=x (EventCode=6005 OR EventCode=6006) 
| stats latest(SystemTime) as SystemTime by host EventCode
| xyseries host EventCode SystemTime | rename "6005" as LastLogon "6006" as LastReboot
| sort -LastLogon -LastReboot

Update - working solution for time conversion

index="x" sourcetype=x (EventCode=6005 OR EventCode=6006) 
  | eval SystemTime=strftime(strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'"), "%y-%m-%d %H:%M") 
  | table host SystemTime
0 Karma
Reply

jip31
Motivator
‎03-27-2019 04:29 AM

yes there is single quote
I have changed it in my eval but it doesnt works....
Thanks for the second requirement its good

0 Karma
Reply

somesoni2
Revered Legend
‎03-27-2019 09:22 AM

Give this a try (single quotes are added to strptime function time format)

index="x" sourcetype=x (EventCode=6005 OR EventCode=6006) 
 | eval SystemTime=strftime(strptime(SystemTime, "'%Y-%m-%dT%H:%M:%S.%9Q%Z'"), "%y-%m-%d %H:%M") 
 | table host SystemTime
0 Karma
Reply

jip31
Motivator
‎03-27-2019 11:56 PM

I dont know why but i cant accept your answer

0 Karma
Reply

somesoni2
Revered Legend
‎03-28-2019 07:27 AM

I converted my comments to answer now. You should be able to close it now.

0 Karma
Reply

jip31
Motivator
‎03-27-2019 10:58 PM

perfect it works!! thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...