- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Problem in displaying timestmap
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem in displaying timestmap
Hi ,
There is a requirement to change the time format from "04/04/14 13:11:37" to "Mon April 04 2014 13:11:37" .I tried the search query
index=fxr SNM* ASRRLUI | rex "^\S+\s(?<unique_field>\S+.\S+) ::"|transaction unique_field startswith="User logged off" endswith="Processing complete"| rex field=_raw "::\s(?<success_t>\S+\s\d+:\d+:\d+) :: User logged off"|eval Output_Timestamp=strptime(success_t,"%y/%m/%d %H:%M:%S")|eval Timestamp=strftime(Output_Timestamp,"%a %B %e %T %Y")|table success_t Output_Timestamp Timestamp unique_field
When the above search query is ran,the result is not getting displayed for some events.The #1 logs displays the timestamp whereas #2 doesnt displays the Timestamp.
The sample logs are as follows
1)
SNM4 ASRRLUI.43U :: 04/04/14 18:18:44 :: Processing complete
SNM4 ASRRLUI.43U :: 04/04/14 18:18:44 :: .
SNM4 ASRRLUI.43U :: 04/04/14 18:18:44 :: .
SNM4 ASRRLUI.43U :: 04/04/14 18:18:44 :: .
SNM4 ASRRLUI.43U :: 04/04/14 18:18:41 :: User logged off, Processing will begin
SNM4 ASRRLUI.43U :: 04/04/14 18:18:41 :: All received data will be processed as SAF for BTWA3FLR
2)SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: User logged off, Processing will begin
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:28 :: Processing complete
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Jananee_iNautix,
take a closer look at this eval you're using:
eval Output_Timestamp=strptime(success_t,"%y/%m/%d %H:%M:%S")
you want to have month at second place in success_t value, but look at the second example you provided:
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: User logged off, Processing will begin
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:24 :: .
SNM4 BTWA3SLR.665F :: 05/14/14 18:24:28 :: Processing complete
what could be the 14th month of the year?
So, this is not the month but something different.
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you're welcome. please mark this answered by ticking the tick - thx
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks....
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
