Since a picture speaks a thousand words here is what my current results get me:
As you can search my search gets me Date, Leased IP, and Host Name
I would like the Date field to contain only the date i.e 08/24/2016 and not the hour, minute and second. Is there a way to do that?
Thanks for any help you can throw my way,
P.
Add this to your search
... | eval Date=strftime(Date, "%x")
Instead of the convert, add this
... | eval Date=strftime(_time, "%x") | fields - _time | ...
That did the trick! So many thanks to everyone for the help!
Skip the convert
- after that you have a string and no longer an epoch value which is required by strftime()
to work.
cheers, MuS