Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need to remove T and Z from output timestamp

ravir_jbp
Explorer
‎11-01-2023 10:01 AM

I am trying to remove T and Z from the output timestamp results. Can you please help me with the query to remove  and space in the place of T and Z.

2023-11-01T15:54:00Z

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2023 10:22 AM 
| eval stime=strftime(strptime(stime,"%FT%TZ"),"%F %T")
| eval etime=strftime(strptime(etime,"%FT%TZ"),"%F %T")
| eval orgstime=strftime(strptime(orgstime,"%FT%TZ"),"%F %T")
| eval orgetime=strftime(strptime(orgetime,"%FT%TZ"),"%F %T")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎11-01-2023 12:28 PM

As I noted in https://community.splunk.com/t5/Splunk-Search/Date-time-formatting-variables-not-producing-result-I-..., the letter "Z" signifies a standard time zone and you should NOT simply remove it.  Instead, Splunk should process it as a timezone token before you render the end result in any string format you wanted.  In other words,

| eval stime=strftime(strptime(stime,"%FT%T%Z"),"%F %T")
| eval etime=strftime(strptime(etime,"%FT%T%Z"),"%F %T")
| eval orgstime=strftime(strptime(orgstime,"%FT%T%Z"),"%F %T")
| eval orgetime=strftime(strptime(orgetime,"%FT%T%Z"),"%F %T")

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2023 10:04 AM 
| makeresults
| eval time="2023-11-01T15:54:00Z"
| eval reformatted=strftime(strptime(time,"%FT%TZ"),"%F %T")
0 Karma
Reply
Solved! Jump to solution

ravir_jbp
Explorer
‎11-01-2023 10:16 AM

This is the final stats results I got it now. The query you have shared is used to modify specific time. But I like to modify the timestamp on all the below mentioned column. 

 

timestamp.JPG

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-01-2023 10:22 AM 
| eval stime=strftime(strptime(stime,"%FT%TZ"),"%F %T")
| eval etime=strftime(strptime(etime,"%FT%TZ"),"%F %T")
| eval orgstime=strftime(strptime(orgstime,"%FT%TZ"),"%F %T")
| eval orgetime=strftime(strptime(orgetime,"%FT%TZ"),"%F %T")
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...