Splunk Search

How to splunk search to get time only from date time?

sekhar463
Path Finder

hi All,

can you help with splunk search to get time only from date time.

example as 2022/11/28 17:00:00 want to get only time 17:00

Tags (1)
0 Karma

sekhar463
Path Finder

HI gcusello

I am using below query to calculate if job started on time or not based on actual start time and job start time, the eval condition is not working as i am comparing the time with actual_start time with job start by time

please help if job not started time not matching with actual time then it result is late

and start time is equal to actual start time is the result will be on_time

so how can i create these 2 fields based on these

index=main sourcetype=TEST
| eval Job_start_by=strftime(strptime(START_TIME,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| eval SLA=IF(Job_start_by="ACTUAL_START_TIME","1.ON-TIME",IF(Job_start_by>"ACTUAL_START_TIME","2.LATE")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,Job_start_by

0 Karma

sekhar463
Path Finder

Hi I am trying to calculate SLA breach based on the below job START_TIME and END_TIME

need help on search query to get below scenario.

in below job actual start time was 4:30 but it was started at 4:50

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

you have to use the eval command with the strftime funtion, something like this:

<your_search>
| eval NEW_START_TIME=strftime(START_TIME,"%H:$M")

Ciao.

Giuseppe

0 Karma

sekhar463
Path Finder

hai Thanks for your response.

i am using below query but not getting field values for NEW_START_TIME

index=main sourcetype=autosys_CRD
|eval NEW_START_TIME=strftime(START_TIME,"%H:$M")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

@gcusello

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

sorry I did a mistyping, please try this:

index=main sourcetype=autosys_CRD
|eval NEW_START_TIME=strftime(START_TIME,"%H:%M")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

Ciao.

Giuseppe

0 Karma

sekhar463
Path Finder

still the same empty values for the field values

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @sekhar463,

sorry ! I forgot that you START_TIME isn't in epochtime,

please try this:

index=main sourcetype=autosys_CRD
| eval NEW_START_TIME=strftime(strptime(START_TIME,"%Y/%m/%d %H:%M:%S"),"%H:%M")
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

you could also try:

index=main sourcetype=autosys_CRD
| eval NEW_START_TIME=substr(START_TIME,10,5)
| table JOB_NAME,STATUS,START_TIME,END_TIME,DAYS_OF_WEEK,ACTUAL_START_TIME,RUNTIME,NEW_START_TIME

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...