Splunk Search

How to edit my search to remove "T" and "Z" characters from showing up in my timestamp results?

jmcaloon
Explorer

When using a search and calling out timestamp I am getting weird results on how the Timestamp is being formatted. Here is my current search I am using:

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"

The formatting I am using is returning this as the date column for this issue:
2017-02-23T16:22:09.956Z

Is there a way I can remove that T and Z and just add a space because this seems to be happening to every search I try that includes the date?

Thank you,
Jack

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this
fixed typos updated regex

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID" | eval Date=replace(Date,"^(.+)T(.+)Z$","\1 \2")

Alternate option

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"| replace *T*Z with "* *" in Date

View solution in original post

0 Karma

sahr
Path Finder

Here is something else I use that usually helps me out

| rex field=updated (?\d{4}-\d{2}-\d+)T(?\d+:\d+:\d+.\d+)
| eval timestamp= timestampA + timestampB
| eval timestamp = strptime(timestamp, "%Y-%m-%d%H:%M:%S.%3N")
| eval timestamp=strftime(timestamp, "%c")
|fields - timestampA timestampB

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Be aware that the Z is explicitly specifying that your time is in UTC (zulu). The T seems somewhat useless to me -- anything with colons in that spot must be a time -- but the time zone can be helpful for understanding the results. Why are so many people logging on at 9 PM? Because they just got back from lunch in California.

0 Karma

somesoni2
Revered Legend

Try like this
fixed typos updated regex

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID" | eval Date=replace(Date,"^(.+)T(.+)Z$","\1 \2")

Alternate option

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"| replace *T*Z with "* *" in Date

View solution in original post

0 Karma

jmcaloon
Explorer

When trying that command at the end with the eval, it was still the same results.

0 Karma

somesoni2
Revered Legend

There was a typo in the regex and command name. Try the updated answer.

0 Karma

jmcaloon
Explorer

Tried the updated results and still of no luck. Is there such a command just to parse out from the specifc variable that is being called? So for an example replace Date "T" "z" etc. I am new to splunk so still tyring to figure everything out

0 Karma

somesoni2
Revered Legend

My bad. I didn't capture the millisecond part in the regex hence it didn't work. Actually I tried with a simpler regex and it work. See this run anywhere sample. Try the updated answer now.

| gentimes start=-1 | eval Date="2017-02-23T16:22:09.956Z" | table Date | eval Date_Updated=replace(Date,"^(.+)T(.+)Z$","\1 \2")
0 Karma

jmcaloon
Explorer

That worked perfectly.Thank you

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!