When using a search and calling out timestamp I am getting weird results on how the Timestamp is being formatted. Here is my current search I am using:
ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"
The formatting I am using is returning this as the date column for this issue:
2017-02-23T16:22:09.956Z
Is there a way I can remove that T and Z and just add a space because this seems to be happening to every search I try that includes the date?
Thank you,
Jack
Try like this
fixed typos updated regex
ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID" | eval Date=replace(Date,"^(.+)T(.+)Z$","\1 \2")
Alternate option
ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"| replace *T*Z with "* *" in Date
Here is something else I use that usually helps me out
| rex field=updated (?\d{4}-\d{2}-\d+)T(?\d+:\d+:\d+.\d+)
| eval timestamp= timestampA + timestampB
| eval timestamp = strptime(timestamp, "%Y-%m-%d%H:%M:%S.%3N")
| eval timestamp=strftime(timestamp, "%c")
|fields - timestampA timestampB
Be aware that the Z is explicitly specifying that your time is in UTC (zulu). The T seems somewhat useless to me -- anything with colons in that spot must be a time -- but the time zone can be helpful for understanding the results. Why are so many people logging on at 9 PM? Because they just got back from lunch in California.
Try like this
fixed typos updated regex
ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID" | eval Date=replace(Date,"^(.+)T(.+)Z$","\1 \2")
Alternate option
ComputerName=* UserName=* CommandLine=* ImageFileName=* FileName=* RawProcessId_decimal=* TargetProcessId_decimal=*|spath CommandLine|fieldformat Timestamp=strftime(Timestamp, "%y/%d/%m/ %H:%M:%S") |table timestamp ComputerName, UserName, FileName, RawProcessId_decimal, TargetProcessId_decimal, CommandLine,| rename timestamp AS "Date", ComputerName AS "Host", UserName AS "User", CommandLine AS "Command Line", FileName AS "File Name", RawProcessId_decimal AS "PID", TargetProcessId_decimal AS "Process ID"| replace *T*Z with "* *" in Date
When trying that command at the end with the eval, it was still the same results.
There was a typo in the regex and command name. Try the updated answer.
Tried the updated results and still of no luck. Is there such a command just to parse out from the specifc variable that is being called? So for an example replace Date "T" "z" etc. I am new to splunk so still tyring to figure everything out
My bad. I didn't capture the millisecond part in the regex hence it didn't work. Actually I tried with a simpler regex and it work. See this run anywhere sample. Try the updated answer now.
| gentimes start=-1 | eval Date="2017-02-23T16:22:09.956Z" | table Date | eval Date_Updated=replace(Date,"^(.+)T(.+)Z$","\1 \2")
That worked perfectly.Thank you