Splunk Search

Every timespan of transaction need time format

Manasi25
Explorer

hello,

 

I have alert transaction at "ACK" and at "Resolved", i have created table for each value, but unable to edit time format of each. Please help. Please find attached image for reference.

Current Output- 

857415piyush.moorjani piyush.moorjani2021-08-25T01:57:26Z 2021-08-25T01:58:47Z
ACKED
RESOLVED

 

need time format of third col.

Labels (1)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

You appear to be making a 5 hour adjustment to times elsewhere in the search so you could do the same here

| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S")-18000,"%d/%m/%Y %H:%M:%S"))

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Are these multi-value fields? If so, have you tried mvmap to format each value?

0 Karma

Manasi25
Explorer

Hi,

 

No i haven't use mvmap for this.

These are multi- value fields from same field called transitions{}.at

858681mike.dowling
mike.dowling
2021-08-25T14:44:00Z
2021-08-25T14:53:40Z
ACKED
RESOLVED
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| makeresults 
| eval _raw="858681,mike.dowling|mike.dowling,2021-08-25T14:44:00Z|2021-08-25T14:53:40Z,ACKED|RESOLVED"
| eval _raw=split(_raw,",")
| eval incident=mvindex(_raw,0)
| eval name=split(mvindex(_raw,1),"|")
| eval time=split(mvindex(_raw,2),"|")
| eval status=split(mvindex(_raw,3),"|")
| table incident name time status



| eval time=mvmap(time,strftime(strptime(time,"%Y-%m-%dT%H:%M:%S"),"%d/%m/%Y %H:%M:%S"))
0 Karma

Manasi25
Explorer

Hi @ITWhisperer 

I have multiple alerts of incidentNumber, user , ack time and resolved time.
 how can i sort my whole data as having lots of rows?

Manasi25_0-1629913791622.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You should probably extract the transitions array, mvexpand it into separate events, then extract the fields from transitions.

0 Karma

Manasi25
Explorer

i did mvexpand for this, i need time format for "TIME" col. PFB

 

Manasi25_0-1629939368230.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I have shown you how to reformat multi-value fields, but you also mentioned sort - what are you trying to sort by? Perhaps if you gave an example of the desired output, that might help. By the way, you haven't used mvexpand in the way I suggested, but without know what you are trying to achieve, it is hard to know whether what you have done is correct or not.

0 Karma

Manasi25
Explorer

hello

I want to time  format of column "TIME", i have formatted it, but resulting "NULL" output as these times are showing from single field called "transition{].at" and unable to do format of two values at a time into table.

  startTime: 2021-08-26T11:02:25Z
   transitions: [ [-]
     { [-]
       at2021-08-26T11:03:06Z
       byasma.sahbani
       nameACKED
     }
     { [-]
       at2021-08-26T11:12:58Z
       byasma.sahbani
       manuallytrue
       nameRESOLVED
     }

0 Karma

Manasi25
Explorer

hello

 

Any update on this?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Did you try the mvmap solution I proposed earlier? What were the results?

0 Karma

Manasi25
Explorer

here is result, it worked, but how can we use on my source type/index? 

Please help, i m just a beginner.

Manasi25_0-1632409789358.png

My data is below,

Manasi25_0-1632410051510.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

OK you field appears to be called TIME rather than time as in my example, so try

| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S"),"%d/%m/%Y %H:%M:%S"))
0 Karma

Manasi25
Explorer

Hello

It worked, but showing incorrect time of "ACK" alerts and it's skipping "Resolved" time in second row of single "incidentNumber".

Manasi25_0-1632445812736.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

You appear to be making a 5 hour adjustment to times elsewhere in the search so you could do the same here

| eval TIME=mvmap(TIME,strftime(strptime(TIME,"%Y-%m-%dT%H:%M:%S")-18000,"%d/%m/%Y %H:%M:%S"))

View solution in original post

Manasi25
Explorer

Thank you ! it worked.

Tags (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!