Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is the best way to trim a Timestamp?

bjs
Engager
‎02-10-2022 02:06 PM

What is the best way to trim a timestamp formatted like 2022-01-06 01:51:23 UTC so that it only reflects the date and hour, like this  2022-01-06 01? I need to be able to search for events by just the date and hour.

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2022 02:16 PM

Depends on the use case but in general it's usually best to operate on time stored as number (unix time), not on time strings.

So in this case, provided that you have your timestamp stored in a field call Time, you could just use the bin command with a proper bin.

| bin Time span=1d

If you want to manipulate strings, you could use regex, but substr should in this case be way faster

| makeresults
| eval Time="2022-01-06 01:51:23 UTC"
| eval JustDate=substr(Time,1,10)
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-10-2022 04:37 PM

OP wants hour of day, so

| bin span=1h@h _time

Also note that the span element is also accepted in timechart, so you may not even need to have a standalone bin command.

Reply

PickleRick
SplunkTrust
SplunkTrust
‎02-10-2022 10:57 PM

Ahh, didn't notice the hour part indeed. So the substring would have to be a bit longer. 13 characters?

Well spotted.

There is a subtle difference between timechart and bin if you want to do your stats not by time alone.

As you undoubtedly know

| timechart span=1h count by whatever

produces differently formatted results than

| bin span=1h _time
| stats count by _time whatever

Sure, you can use untable/xyseries to "convert" from one to another but  it's usually more straightforward to chose the form more suitable for further use without additional modifications.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-10-2022 11:43 PM

Another difference to note is that timechart will fill in the gaps across the whole time span defined by the search (from earliest to latest), whereas stats by _time merely uses the times from the events found.

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...