Solved: How to escape a character in strptime?

sam_jacob · ‎09-02-2015

I'm trying to do a strptime on this time, 2015-09-01T01:03:22.

This is the query I'm running, index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, %Y-%m-%dT%H:%M:%S) | dedup date| head 5 | table date.

But when I run the query, Splunk yells at me saying "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%Y-%m-%dT%H:%M:%S)'."

richgalloway · ‎09-02-2015

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎09-02-2015

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date

---
If this reply helps you, Karma would be appreciated.

sam_jacob · ‎09-02-2015

Darn can't believe it was just that. Oh well, thanks for helping!

How to escape a character in strptime?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms