Solved: How to format this search?

ranjithan · ‎02-10-2022

In the query _time is already formatted. But when i try to export the data in csv its showing different formats.

Query:index="wineventlog" host IN (USMDCKPAP30074) EventCode=6006 OR EventCode="6005" Type=Information
| eval BootUptime = if(EventCode=6005,strftime(_time, "%Y-%d-%m %H:%M:%S"),null())
| table host BootUptime

Eg:

2022-31-01 10:00:42

2022-29-01 06:40:11

2022-27-01 12:55:56

After exporting :

8/1/2022 4:08

1/1/2022 4:03

2021-25-12 04:03:29

2021-18-12 04:02:54

2021-16-12 10:14:45

2021-16-12 10:08:21

11/12/2021 4:08

4/12/2021 4:11

Please help me resolve this

ITWhisperer · ‎02-10-2022

| eval BootUptime = if(EventCode=6005,strftime(_time, "%Y-%d-%m %H:%M:%S"),"n/a")

View solution in original post

ITWhisperer · ‎02-10-2022

| eval BootUptime = if(EventCode=6005,strftime(_time, "%Y-%d-%m %H:%M:%S"),"n/a")

ranjithan · ‎02-11-2022

Thank You so much, this works!!

How to format this search?

timechart

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Join the Conversation

How to format this search?

timechart

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Splunk MCP & Agentic AI: Machine Data Without Limits