Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with a STRPTIME

cramasta
Builder
‎03-06-2012 02:30 PM

So when Splunk admon changed from 4.1.5 to 4.1.6 they also changed how it exacted a timestamp field from AD

4.1.5 had fields that looked like this

whenChanged=20100128233113.0Z

whenCreated=20100128232712.0Z

With this format I could create a nice STRPTIME that worked for turning this into timestamp splunk understood

4.1.6 came out and changed it to this

whenCreated=10:15.04 pm, Tue 02/12/2008

whenChanged=10:23.00 pm, Tue 02/12/2008

In 4.3 ADMON the timestamp is still extracted in the 4.1.6 format

Does anyone have any suggestions on how I can create a STRPTIME to recognize this format. I cant seem to figure out a way to get it to understand/ignore the abbreviated days of the week.

Thanks,
J

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-06-2012 02:37 PM 
strptime(whenCreated, "%I:%M.%S %p, %a %m/%d/%Y")

should work...

View solution in original post

Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎03-06-2012 02:37 PM 
strptime(whenCreated, "%I:%M.%S %p, %a %m/%d/%Y")

should work...

View solution in original post

Reply
Solved! Jump to solution

cramasta
Builder
‎03-06-2012 02:42 PM

that worked great thank you very much. I read right over the %a function when looking up strptime formats.

0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!