Solved: How do you get Splunk to change timestamps from a ...

UMDTERPS · ‎02-06-2019

We are using a lookuptable with CSV's for reports. However, the _time field has the following format for time:

2015-06-10T20:04:51.254843Z

How do I get Splunk to interpret that for _time?

Is there a way to edit the _time field to get rid of everything from the "T" on and show 2015-06-10 and use strptime?

Thanks!

chrisyounger · ‎02-06-2019

This time can be parsed by strptime without any changes. For example

|makeresults | eval time = "2015-06-10T20:04:51.254843Z" | eval parsedTime = strptime(time, "%Y-%m-%dT%H:%M:%S.%6QZ")

chrisyounger · ‎02-06-2019

This time can be parsed by strptime without any changes. For example

|makeresults | eval time = "2015-06-10T20:04:51.254843Z" | eval parsedTime = strptime(time, "%Y-%m-%dT%H:%M:%S.%6QZ")

UMDTERPS · ‎02-07-2019

It works somewhat, but the eval of 2015-06-10T20:04:51.254843Z converts the time to:

2019-02-07 10:09:54

The time should be June 10, 2015.

I'm trying to get Spunk to interpret the format of our time field " 2015-06-10T20:04:51.254843Z" to make a time graph.

?

Vijeta · ‎02-07-2019

you need to assign _time to the lookup time value.

For ex.

eval _time=strptime(lookuptime,"%Y-%m-%dT%H:%M:%S.%6QZ")

UMDTERPS · ‎02-08-2019

| inputlookup REPORT.csv | eval time=strptime(lastLogonTimestamp,"%m/%d/%y")

The above seemed to work.

Thanks everyone!

How do you get Splunk to change timestamps from a lookup table?