Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to customize time in search not in indexing time

DataOrg
Builder
‎03-07-2018 04:25 AM

I have a field as created time.
06-03-2018 13:03:51
06-03-2018 13:03:37
06-03-2018 13:03:38

i want only the date as "06-03-2018". i used strftime but couldnt convert it

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎03-07-2018 04:33 AM

HI @premranjithj,
try this:

...| eval temp=split(created_time," ")| eval created_time=mvindex(temp,0)

try this run anywhere search:

|makeresults|eval created_time="06-03-2018 13:03:51"| eval temp=split(created_time," ")| eval created_time=mvindex(temp,0)

View solution in original post

Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎03-07-2018 04:33 AM

HI @premranjithj,
try this:

...| eval temp=split(created_time," ")| eval created_time=mvindex(temp,0)

try this run anywhere search:

|makeresults|eval created_time="06-03-2018 13:03:51"| eval temp=split(created_time," ")| eval created_time=mvindex(temp,0)
Reply
Solved! Jump to solution

DataOrg
Builder
‎03-07-2018 06:51 AM

created_time
06-03-2018
12:43:56
time stamps are in single fields but time is cumng in new line. how to ignore new line timestamp

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎03-07-2018 07:35 AM

if I understood correctly that if created_time is multivalue field then try this run anywhere search:

|makeresults|eval created_time="06-03-2018"
|append[|makeresults|eval created_time="13:03:51"]
|stats values(created_time) as created_time
| eval created_time=mvindex(created_time,0)
0 Karma
Reply
Solved! Jump to solution

DataOrg
Builder
‎03-07-2018 08:56 AM

06-03-2018
12:43:56

time and date is a single value but time is cumng in new line.I dont want time

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎03-07-2018 09:01 AM

have you tried this:

 ...| eval created_time=mvindex(created_time,0)
0 Karma
Reply
Solved! Jump to solution

DataOrg
Builder
‎03-07-2018 09:33 AM

yes it not worked

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎03-07-2018 09:39 AM

then try this regex:

...|rex field=created_time "(?<a>\S+)"
Reply
Solved! Jump to solution

DataOrg
Builder
‎03-07-2018 09:51 AM

06-03-2018 13:03:51. how to change this into strftime(created_time"%y/%b/%d")

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎03-07-2018 10:02 AM

try this:

|eval created_time=strftime(strptime(created_time,"%d-%m-%Y %H:%M:%S"),"%Y/%b/%d")
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...