Using regex, what is the syntax, to trim a timestamp formatted like 2022-01-06 01:51:23 UTC so that it only reflects the date and hour, like this 2022-01-06 01?
Like this:
|makeresults
| eval time= = 2022-01-06 01:51:23 UTC"
| eval time = replace(time, "\s.*$", "")
I was actually able to change the event timestamp by using offset: | rex field=timestamp "(?<timestamp>.{13})"
What is the use case for string manipulation if this concerns event timestamp (designated by builtin _time field)? Most of the time, using "| bin span=1h@h _time" allows better handling/flexibility down the pipe, perhaps better performance, too.
If this concerns a text field that is not used as event timestamp, an alternative to regex is split(), like
| eval date_hour = mvindex(split(timestamp, ":"), 0)
| rex mode=sed "s/(?<datehour>\d{4}-\d\d-\d\d \d\d)(?<discard>:\d\d:\d\d \w+)/\\1/g"