Splunk Search

How to edit my search to remove "T" and "Z" characters from showing up in my timestamp results?

jmcaloon
Explorer

When using a search and calling out timestamp I am getting weird results on how the Timestamp is being formatted. Here is my current search I am using:

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"

The formatting I am using is returning this as the date column for this issue:
2017-02-23T16:22:09.956Z

Is there a way I can remove that T and Z and just add a space because this seems to be happening to every search I try that includes the date?

Thank you,
Jack

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try like this
fixed typos updated regex

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID" | eval Date=replace(Date,"^(.+)T(.+)Z$","\1 \2")

Alternate option

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"| replace *T*Z with "* *" in Date

View solution in original post

0 Karma

sahr
Path Finder

Here is something else I use that usually helps me out

| rex field=updated (?\d{4}-\d{2}-\d+)T(?\d+:\d+:\d+.\d+)
| eval timestamp= timestampA + timestampB
| eval timestamp = strptime(timestamp, "%Y-%m-%d%H:%M:%S.%3N")
| eval timestamp=strftime(timestamp, "%c")
|fields - timestampA timestampB

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Be aware that the Z is explicitly specifying that your time is in UTC (zulu). The T seems somewhat useless to me -- anything with colons in that spot must be a time -- but the time zone can be helpful for understanding the results. Why are so many people logging on at 9 PM? Because they just got back from lunch in California.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try like this
fixed typos updated regex

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID" | eval Date=replace(Date,"^(.+)T(.+)Z$","\1 \2")

Alternate option

ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"| replace *T*Z with "* *" in Date
0 Karma

jmcaloon
Explorer

When trying that command at the end with the eval, it was still the same results.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

There was a typo in the regex and command name. Try the updated answer.

0 Karma

jmcaloon
Explorer

Tried the updated results and still of no luck. Is there such a command just to parse out from the specifc variable that is being called? So for an example replace Date "T" "z" etc. I am new to splunk so still tyring to figure everything out

0 Karma

somesoni2
SplunkTrust
SplunkTrust

My bad. I didn't capture the millisecond part in the regex hence it didn't work. Actually I tried with a simpler regex and it work. See this run anywhere sample. Try the updated answer now.

| gentimes start=-1 | eval Date="2017-02-23T16:22:09.956Z" | table Date | eval Date_Updated=replace(Date,"^(.+)T(.+)Z$","\1 \2")
0 Karma

jmcaloon
Explorer

That worked perfectly.Thank you

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...