Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Changing date_hour format

krusovice
Path Finder
‎03-05-2018 06:24 PM

Hi all,

I would like to use date_hour as part of the query. The result of date_hour showing 1,2,3....23. How can I change the format of date_hour to become e.g. 1 is 1:00 to 1:59, 20 is 20:00 to 20:59?

Thanks for your help in advance.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎03-05-2018 07:02 PM

@krusovice, you can try the following

<yourcurrentsearch>
| eval date_hour=if(len(date_hour)==1,"0".date_hour.":00",date_hour.":00")
| sort date_hour

Following is a run anywhere search based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by date_hour
| eval date_hour=if(len(date_hour)==1,"0".date_hour.":00",date_hour.":00")
| sort date_hour
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

Reply
Solved! Jump to solution
Solution

niketn
Legend
‎03-05-2018 07:02 PM

@krusovice, you can try the following

<yourcurrentsearch>
| eval date_hour=if(len(date_hour)==1,"0".date_hour.":00",date_hour.":00")
| sort date_hour

Following is a run anywhere search based on Splunk's _internal index

index=_internal sourcetype=splunkd log_level!="INFO"
| stats count by date_hour
| eval date_hour=if(len(date_hour)==1,"0".date_hour.":00",date_hour.":00")
| sort date_hour
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
Reply
Solved! Jump to solution

krusovice
Path Finder
‎03-05-2018 07:30 PM

Hi @niketnilay,

It's work fine to display 01:00, 02:00...etc. However my requirement is to able to display as "01:00 - 01:59", how can I achieve that?

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-05-2018 07:35 PM

Try the following then:

| eval date_hour=if(len(date_hour)==1,"0".date_hour.":00 - ".date_hour.":59",date_hour.":00 - ".date_hour.":59")
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

krusovice
Path Finder
‎03-05-2018 07:44 PM

Thank you so much for the answer, my result looking great now 🙂

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎03-05-2018 07:46 PM

Glad it worked 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

REGISTER NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If ...

Observability | Use Synthetic Monitoring for Website Metadata Verification

If you are on Splunk Observability Cloud, you may already have Synthetic Monitoringin your observability ...

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...