Hi
I am running search with the following string

"sourcetype="TicketAnalysis" | chart count by CloseDateTime" and getting result in following format

"CloseDateTime" "count"

2013-02-19 11:40 AM 1

2013-02-20 12:11 PM 1

2013-02-22 16:26 PM 1

2013-02-23 01:02 AM 1

2013-02-26 12:13 PM 1

i would like to have CloseDateTime field in only day or month format. i tried to do through "convert timeformat="%d" ctime(_time) function and not getting any result. can you please help me out.

Thanks.

Hi,

strptime(X,Y) will convert a string X, e.g. "2013-03-22 11:22:33", into epoch, with the string being described by Y

strftime(X,Y) will convert an epoch timestamp (X) into a string, defined by Y.

An example;

You want to calculate the difference between two timestamps in an event. This event looks like;

2013-03-22 11:22:33 transactionid=123 startdate=03/18/2013 enddate=03/23/2013

base search 
| eval start=strptime(startdate,"%m/%d/%Y") 
| eval end=strptime(enddate, "%m/%d/%Y") 
| eval dur = end - start 
| the rest of the search

Then you want to calculate how many transaction that started in March. Add the following lines;

| eval startmonth = stfrtime(start, "%m")

Now start and end is in epoch (an integer), dur is also an integer (the number of seconds between the two dates). startmonth will be '03' (for March) for the event above.

See the following resources for more info;

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Commontimeformatvariables
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions
http://www.strftime.net

UPDATE:

Well, since you have the CloseTimeDate as a string, you can do the calculations pretty much as described above all done in one eval;

sourcetype="TicketAnalysis" 
| eval cd=strftime(strptime(CloseDateTime,"%Y-%m-%d %H:%M:%S %p"),"%m-%d")
| chart count by cd

The inner function - strptime() - converts your string to epoch, and the outer - strftime() - converts/extracts the parts you want, and in what order from the epoch. In this case Month-Day will be stored in the new field 'cd'.

Of course, there is more than one way to do it, one of which is to use eval's substr() function to operate on the string CloseDateTime directly (if you are happy with how it looks, and just want to strip off a few parts).

sourcetype="TicketAnalysis" 
| eval cd=substr(CloseDateTime,5,5)
| chart count by cd

which will take the field (CloseDateTime) jump to offset 5 (i.e. skip the 2013- part) and read 5 characters, i.e. '02-19'.

OR if these dates actually are the same, or nearly the same, as the time of the event, you may be happy with using the built-in fields date_month, date_hour, date_mday, date_second etc. These are automatically calculated for most types of event, apart from Windows EventLogs.

Hope this helps,

Kristian