Splunk Search

How to escape a character in strptime?

sam_jacob
Path Finder

I'm trying to do a strptime on this time, 2015-09-01T01:03:22.

This is the query I'm running, index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, %Y-%m-%dT%H:%M:%S) | dedup date| head 5 | table date.

But when I run the query, Splunk yells at me saying "Error in 'eval' command: The expression is malformed. An unexpected character is reached at '%Y-%m-%dT%H:%M:%S)'."

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Put your strptime format string in quotes.

index=[redacted] sourcetype=[redacted] | eval date=strptime(DESCRIPTION, "%Y-%m-%dT%H:%M:%S") | dedup date| head 5 | table date
---
If this reply helps you, Karma would be appreciated.

sam_jacob
Path Finder

Darn can't believe it was just that. Oh well, thanks for helping!

0 Karma
Get Updates on the Splunk Community!

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...