Solved: Help with a STRPTIME

cramasta · ‎03-06-2012

So when Splunk admon changed from 4.1.5 to 4.1.6 they also changed how it exacted a timestamp field from AD

4.1.5 had fields that looked like this

whenChanged=20100128233113.0Z

whenCreated=20100128232712.0Z

With this format I could create a nice STRPTIME that worked for turning this into timestamp splunk understood

4.1.6 came out and changed it to this

whenCreated=10:15.04 pm, Tue 02/12/2008

whenChanged=10:23.00 pm, Tue 02/12/2008

In 4.3 ADMON the timestamp is still extracted in the 4.1.6 format

Does anyone have any suggestions on how I can create a STRPTIME to recognize this format. I cant seem to figure out a way to get it to understand/ignore the abbreviated days of the week.

Thanks,
J

lguinn2 · ‎03-06-2012

strptime(whenCreated, "%I:%M.%S %p, %a %m/%d/%Y")

should work...

View solution in original post

lguinn2 · ‎03-06-2012

strptime(whenCreated, "%I:%M.%S %p, %a %m/%d/%Y")

should work...

cramasta · ‎03-06-2012

that worked great thank you very much. I read right over the %a function when looking up strptime formats.

Help with a STRPTIME

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies