Splunk Search

How to change my sample timestamp to a different time format?

Explorer

Hi,

I have time entries like 2017-01-04T19:12:33.0117979+00:00 in the logs.
How can I change this to 2017-01-04 19:12:33?
I tried eval Time=_time(_time,"%Y"-%m-%d %H:%M:%S) but it doesn't work.

Also, I want to get all rows of a table which have same values of a specific column. How can I achieve that?

Thanks,
Siddharth

0 Karma

Revered Legend

Are you trying to update the _raw data that you see in search result OR create a new fields Time which will store the time in required format? For later, try like this

| eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S")
0 Karma

Explorer

This worked...
eval epochtime = strptime(Start,"%FT%H:%M:%S.%3Q") | eval "newtime" = strftime(epochtime, "%F %H:%M:%S") | table newtime

Can you please help me with query #2?

0 Karma

Revered Legend

When you say "same values of a specific column", is the value a static string/number? Are you trying to filter rows by comparing a column to have a certain values like log_level="Warning" or account_number="foo123434" or similar? If yes, you can include the same in your base search, e.g. index=_internal sourcetype=splunkd log_level="WARN"

0 Karma