Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splint date/time filed in multiple fields for calculations

bigll
Path Finder
‎02-20-2024 09:12 AM

Hi.

I have a single filed for date and time of event - 2024-02-19T11:16:58.930104Z
I would like to have to fields Date and Time as well as one more calculated fields I can use to find records not changed in last 2 days or 48 hours what ever is better for the search.

I tried 

|eval Date = strftime(policy_refresh_at, "%b-%d-%Y")

| eval Time = strftime(policy_refresh_at, "%H:%M")

or

| eval Date=substr(policy_refresh,10,1)

The result come empty in both cases.
So nothing to calculate on

Please advise, Thank you

Please advise on

Labels (1)
Labels
Tags (3)
0 Karma
Reply

bigll
Path Finder
‎02-20-2024 11:08 AM

Thank you for an update.

I tried suggested SPL and added rename field to see if data exists
-------------------
| eval Date = strftime(strptime("policy_applied_at","%FT%T.%6NZ"), "%b-%d-%Y")
| eval Time = strftime(strptime("policy_applied_at","%FT%T.%6NZ"), "%H:%M")
| rename "policy_applied_at" as "Last Refresh Time"
| table "Last Refresh Time", Date, Time
-------------
The rename, but not trimmed field has data, other two are empty

Last Refresh Time Date Time

2024-02-19T11:16:58.930104Z  
2024-02-19T11:16:54.980418Z  
2024-02-19T11:18:44.875386Z  
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-21-2024 12:51 AM

Please share some sample (anonymised) events

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-20-2024 09:22 AM

If policy_refresh_at is a string, you could ty parsing it (to an epoch timestamp) before formatting, something like this:

|eval Date = strftime(strptime(policy_refresh_at,"%FT%T.%6NZ"), "%b-%d-%Y")

| eval Time = strftime(strptime(policy_refresh_at,"%FT%T.%6NZ"), "%H:%M")
0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...