Splunk Search

How to escape a character in strptime?

sam_jacob
Path Finder

I'm trying to do a strptime on this time, 2015-09-01T01:03:22.

This is the query I'm running, index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, %Y-%m-%dT%H:%M:%S) | dedup date| head 5 | table date.

But when I run the query, Splunk yells at me saying "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%Y-%m-%dT%H:%M:%S)'."

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date
---
If this reply helps you, Karma would be appreciated.

sam_jacob
Path Finder

Darn can't believe it was just that. Oh well, thanks for helping!

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...