Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best way to trim a Timestamp?

bjs
Engager
‎02-10-2022 02:06 PM

What is the best way to trim a timestamp formatted like 2022-01-06 01:51:23 UTC so that it only reflects the date and hour, like this  2022-01-06 01? I need to be able to search for events by just the date and hour.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2022 02:16 PM

Depends on the use case but in general it's usually best to operate on time stored as number (unix time), not on time strings.

So in this case, provided that you have your timestamp stored in a field call Time, you could just use the bin command with a proper bin.

| bin Time span=1d

If you want to manipulate strings, you could use regex, but substr should in this case be way faster

| makeresults
| eval Time="2022-01-06 01:51:23 UTC"
| eval JustDate=substr(Time,1,10)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-10-2022 04:37 PM

OP wants hour of day, so

| bin span=1h@h _time

Also note that the span element is also accepted in timechart, so you may not even need to have a standalone bin command.

Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2022 10:57 PM

Ahh, didn't notice the hour part indeed. So the substring would have to be a bit longer. 13 characters?

Well spotted.

There is a subtle difference between timechart and bin if you want to do your stats not by time alone.

As you undoubtedly know

| timechart span=1h count by whatever

produces differently formatted results than

| bin span=1h _time
| stats count by _time whatever

Sure, you can use untable/xyseries to "convert" from one to another but  it's usually more straightforward to chose the form more suitable for further use without additional modifications.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-10-2022 11:43 PM

Another difference to note is that timechart will fill in the gaps across the whole time span defined by the search (from earliest to latest), whereas stats by _time merely uses the times from the events found.

Reply
Get Updates on the Splunk Community!

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...