How do I extract the date and time from my events? Event Data Sample ------------------------- Jun 4 01:27:01 rofsso504a Usage: /dev/sda1 16G 16G 20K 100% / Jun 4 02:27:01 rofsso504a Usage: /dev/sda1 16G 16G 20K 100% / Jun 4 00:27:01 rofsso504a Usage: /dev/sda1 16G 16G 20K 100% / Jul 31 22:27:01 rofsso504a Usage: /dev/sda4 210G 53G 157G 26% /home Jul 31 08:27:01 rofsso504a Usage: /dev/sda4 210G 53G 157G 26% /home My Search ----------------- index=sso host=rofsso504* PartitionDiskSpaceUsed>25 earliest=-2mon | rename _raw as Event host as Host | eval Timestamp=strftime(_time, "%b %d %H:%M:%S") | table Host _time Timestamp PartitionDiskSpaceUsed Event | sort Host -Timestamp | table _time Timestamp PartitionDiskSpaceUsed Event What I want ------------------ I want the Timestamp column to contain the correct Event Date and Time, but currently it shows the DateTime of the search. 2020-06-04 00:50:56 Jun 04 01:27:01 100 Jun 4 01:27:01 rofsso504a Usage: /dev/sda1 16G 16G 20K 100% / 2020-06-04 00:50:56 Jun 04 02:27:01 100 Jun 4 02:27:01 rofsso504a Usage: /dev/sda1 16G 16G 20K 100% / 2020-06-04 00:50:56 Jun 04 00:27:01 100 Jun 4 00:27:01 rofsso504a Usage: /dev/sda1 16G 16G 20K 100% / 2020-07-31 00:50:56 Jul 31 22:27:01 26 Jul 31 22:27:01 rofsso504a Usage: /dev/sda4 210G 53G 157G 26% /home 2020-07-31 00:50:56 Jul 31 08:27:01 26 Jul 31 08:27:01 rofsso504a Usage: /dev/sda4 210G 53G 157G 26% /home What I get ------------ 2020-06-04 00:50:56 Jun 04 00:50:56 100 Jun 4 01:27:01 rofsso504a Usage: /dev/sda1 16G 16G 20K 100% / 2020-06-04 00:50:56 Jun 04 00:50:56 100 Jun 4 02:27:01 rofsso504a Usage: /dev/sda1 16G 16G 20K 100% / 2020-06-04 00:50:56 Jun 04 00:50:56 100 Jun 4 00:27:01 rofsso504a Usage: /dev/sda1 16G 16G 20K 100% / 2020-07-31 00:50:56 Jul 31 00:50:56 26 Jul 31 22:27:01 rofsso504a Usage: /dev/sda4 210G 53G 157G 26% /home 2020-07-31 00:50:56 Jul 31 00:50:56 26 Jul 31 08:27:01 rofsso504a Usage: /dev/sda4 210G 53G 157G 26% /home   ... View more