Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Need to add Date/Time in report
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have following record in my log -
2019-06-13 10:59:56,664 INFO [FileUploadWebScript] [http-apr-8983-exec-5] The Upload Service /filenet/service/temp/upload succeeded in 2.366000 seconds, Request: {account=0063, creator=Test, name=Itinerary}
I need a report showing a tabular report with following columns -
Name | Account | creator | uploaded On
Itinerary .... 0063..... Test...... 2019-06-13
"Upload On" should be from the start of the line i.e., "2019-06-13 10:59:56,664"
I am able to get all other columns except date/time by this query -
...| stats list(name) as "Name", list(account) as "Account", list(creator) as "Creator"
How to change this statement so that I can get "Uploaded On" too?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
... | eval uploaded_On = strftime(_time, "%Y-%m-%d %H:%M:%S")
| table Uploaded_On name account creator
| rename name AS Name account AS Account create AS Creator
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
... | eval uploaded_On = strftime(_time, "%Y-%m-%d %H:%M:%S")
| table Uploaded_On name account creator
| rename name AS Name account AS Account create AS Creator
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Woodcock, it worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Woodcock, somehow I am seeing some rows with Timestamp (Uploaded_ON) but no details around name, account & creator.
What we can do to make sure it shows record only if "name" is present?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, just add | where isnotnull(name)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@runiyal - You can use eval "Uploaded On"=_time in the query to display "2019-06-13 10:59:56,664". If you want to show only Date, Use eval "Uploaded On"=strftime(_time, "%Y-%m-%d") in the query.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@runiyal- Is this the value of _time ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Vijeta, this is the time of the log entry....I may just need to show "2019-06-13" under "Uploaded On" column.
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
