Splunk Search

How to escape a character in strptime?

sam_jacob
Path Finder

I'm trying to do a strptime on this time, 2015-09-01T01:03:22.

This is the query I'm running, index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, %Y-%m-%dT%H:%M:%S) | dedup date| head 5 | table date.

But when I run the query, Splunk yells at me saying "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%Y-%m-%dT%H:%M:%S)'."

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date
---
If this reply helps you, Karma would be appreciated.

sam_jacob
Path Finder

Darn can't believe it was just that. Oh well, thanks for helping!

0 Karma
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...