Splint date/time filed in multiple fields for calc...

bigll · ‎02-20-2024

Hi.

I have a single filed for date and time of event - 2024-02-19T11:16:58.930104Z
I would like to have to fields Date and Time as well as one more calculated fields I can use to find records not changed in last 2 days or 48 hours what ever is better for the search.

I tried

|eval Date = strftime(policy_refresh_at, "%b-%d-%Y")

| eval Time = strftime(policy_refresh_at, "%H:%M")

or

| eval Date=substr(policy_refresh,10,1)

The result come empty in both cases.
So nothing to calculate on

Please advise, Thank you

Please advise on

bigll · ‎02-20-2024

Thank you for an update.

I tried suggested SPL and added rename field to see if data exists
-------------------
| eval Date = strftime(strptime("policy_applied_at","%FT%T.%6NZ"), "%b-%d-%Y")
| eval Time = strftime(strptime("policy_applied_at","%FT%T.%6NZ"), "%H:%M")
| rename "policy_applied_at" as "Last Refresh Time"
| table "Last Refresh Time", Date, Time
-------------
The rename, but not trimmed field has data, other two are empty

Last Refresh Time Date Time

2024-02-19T11:16:58.930104Z
2024-02-19T11:16:54.980418Z
2024-02-19T11:18:44.875386Z

ITWhisperer · ‎02-21-2024

Please share some sample (anonymised) events

ITWhisperer · ‎02-20-2024

If policy_refresh_at is a string, you could ty parsing it (to an epoch timestamp) before formatting, something like this:

|eval Date = strftime(strptime(policy_refresh_at,"%FT%T.%6NZ"), "%b-%d-%Y")

| eval Time = strftime(strptime(policy_refresh_at,"%FT%T.%6NZ"), "%H:%M")

Splint date/time filed in multiple fields for calculations

eval

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases