Splunk Search

How to change my sample timestamp to a different time format?

Explorer

Hi,

I have time entries like 2017-01-04T19:12:33.0117979+00:00 in the logs.
How can I change this to 2017-01-04 19:12:33?
I tried eval Time=_time(_time,"%Y"-%m-%d %H:%M:%S) but it doesn't work.

Also, I want to get all rows of a table which have same values of a specific column. How can I achieve that?

Thanks,
Siddharth

0 Karma

Revered Legend

Are you trying to update the _raw data that you see in search result OR create a new fields Time which will store the time in required format? For later, try like this

| eval Time=strftime(_time,"%Y-%m-%d %H:%M:%S")
0 Karma

Explorer

This worked...
eval epochtime = strptime(Start,"%FT%H:%M:%S.%3Q") | eval "newtime" = strftime(epochtime, "%F %H:%M:%S") | table newtime

Can you please help me with query #2?

0 Karma

Revered Legend

When you say "same values of a specific column", is the value a static string/number? Are you trying to filter rows by comparing a column to have a certain values like log_level="Warning" or account_number="foo123434" or similar? If yes, you can include the same in your base search, e.g. index=_internal sourcetype=splunkd log_level="WARN"

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!