Splunk Search

How to escape a character in strptime?

sam_jacob
Path Finder

I'm trying to do a strptime on this time, 2015-09-01T01:03:22.

This is the query I'm running, index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, %Y-%m-%dT%H:%M:%S) | dedup date| head 5 | table date.

But when I run the query, Splunk yells at me saying "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%Y-%m-%dT%H:%M:%S)'."

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date
---
If this reply helps you, Karma would be appreciated.

sam_jacob
Path Finder

Darn can't believe it was just that. Oh well, thanks for helping!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...