Solved: Remove Time from results

pboynton63 · ‎08-24-2016

Since a picture speaks a thousand words here is what my current results get me:

As you can search my search gets me Date, Leased IP, and Host Name

I would like the Date field to contain only the date i.e 08/24/2016 and not the hour, minute and second. Is there a way to do that?

Thanks for any help you can throw my way,

P.

sundareshr · ‎08-24-2016

Add this to your search

... | eval Date=strftime(Date, "%x")

View solution in original post

sundareshr · ‎08-24-2016

Add this to your search

... | eval Date=strftime(Date, "%x")

pboynton63 · ‎08-24-2016

I removed the convert piece as you suggested. That does not seem to have worked if I understood you correctly.

sundareshr · ‎08-24-2016

Instead of the convert, add this

... | eval Date=strftime(_time, "%x") | fields - _time | ...

pboynton63 · ‎08-24-2016

That did the trick! So many thanks to everyone for the help!

pboynton63 · ‎08-24-2016

Thank you Sundareshr,

Here are the results of your suggestion:

It seems to have taken the date and time, and what I was looking for was just to remove the hour, minute, and second. I would still like the date e.g. 08/24/2016

But I think we are close!

Again my thanks,

P.

MuS · ‎08-24-2016

Skip the convert - after that you have a string and no longer an epoch value which is required by strftime() to work.

cheers, MuS

Remove Time from results

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms