Solved: How to edit my search to remove "T" and "Z" charac...

jmcaloon · ‎02-23-2017

When using a search and calling out timestamp I am getting weird results on how the Timestamp is being formatted. Here is my current search I am using:

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"

The formatting I am using is returning this as the date column for this issue:
2017-02-23T16:22:09.956Z

Is there a way I can remove that T and Z and just add a space because this seems to be happening to every search I try that includes the date?

Thank you,
Jack

somesoni2 · ‎02-23-2017

Try like this
fixed typos updated regex

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID" | eval Date=replace(Date,"^(.+)T(.+)Z$","\1 \2")

Alternate option

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"| replace *T*Z with "* *" in Date

View solution in original post

sahr · ‎12-28-2017

Here is something else I use that usually helps me out

| rex field=updated (?\d{4}-\d{2}-\d+)T(?\d+:\d+:\d+.\d+)
| eval timestamp= timestampA + timestampB
| eval timestamp = strptime(timestamp, "%Y-%m-%d%H:%M:%S.%3N")
| eval timestamp=strftime(timestamp, "%c")
|fields - timestampA timestampB

DalJeanis · ‎02-23-2017

Be aware that the Z is explicitly specifying that your time is in UTC (zulu). The T seems somewhat useless to me -- anything with colons in that spot must be a time -- but the time zone can be helpful for understanding the results. Why are so many people logging on at 9 PM? Because they just got back from lunch in California.

somesoni2 · ‎02-23-2017

Try like this
fixed typos updated regex

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID" | eval Date=replace(Date,"^(.+)T(.+)Z$","\1 \2")

Alternate option

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"| replace *T*Z with "* *" in Date

jmcaloon · ‎02-23-2017

When trying that command at the end with the eval, it was still the same results.

somesoni2 · ‎02-23-2017

There was a typo in the regex and command name. Try the updated answer.

jmcaloon · ‎02-23-2017

Tried the updated results and still of no luck. Is there such a command just to parse out from the specifc variable that is being called? So for an example replace Date "T" "z" etc. I am new to splunk so still tyring to figure everything out

somesoni2 · ‎02-23-2017

My bad. I didn't capture the millisecond part in the regex hence it didn't work. Actually I tried with a simpler regex and it work. See this run anywhere sample. Try the updated answer now.

| gentimes start=-1 | eval Date="2017-02-23T16:22:09.956Z" | table Date | eval Date_Updated=replace(Date,"^(.+)T(.+)Z$","\1 \2")

jmcaloon · ‎02-23-2017

That worked perfectly.Thank you

How to edit my search to remove "T" and "Z" characters from showing up in my timestamp results?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!