Splunk Search

Help with a STRPTIME

Builder

So when Splunk admon changed from 4.1.5 to 4.1.6 they also changed how it exacted a timestamp field from AD

4.1.5 had fields that looked like this

whenChanged=20100128233113.0Z

whenCreated=20100128232712.0Z

With this format I could create a nice STRPTIME that worked for turning this into timestamp splunk understood


4.1.6 came out and changed it to this

whenCreated=10:15.04 pm, Tue 02/12/2008

whenChanged=10:23.00 pm, Tue 02/12/2008

In 4.3 ADMON the timestamp is still extracted in the 4.1.6 format

Does anyone have any suggestions on how I can create a STRPTIME to recognize this format. I cant seem to figure out a way to get it to understand/ignore the abbreviated days of the week.

Thanks,
J

Tags (2)
0 Karma
1 Solution

Legend
strptime(whenCreated, "%I:%M.%S %p, %a %m/%d/%Y")

should work...

View solution in original post

Legend
strptime(whenCreated, "%I:%M.%S %p, %a %m/%d/%Y")

should work...

View solution in original post

Builder

that worked great thank you very much. I read right over the %a function when looking up strptime formats.

0 Karma