Splunk Search
Highlighted

How to escape a character in strptime?

Path Finder

I'm trying to do a strptime on this time, 2015-09-01T01:03:22.

This is the query I'm running, index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, %Y-%m-%dT%H:%M:%S) | dedup date| head 5 | table date.

But when I run the query, Splunk yells at me saying "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%Y-%m-%dT%H:%M:%S)'."

0 Karma
Highlighted

Re: How to escape a character in strptime?

SplunkTrust
SplunkTrust

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: How to escape a character in strptime?

Path Finder

Darn can't believe it was just that. Oh well, thanks for helping!

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.