Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Remove Z or T string from your Timestamp

REST eval

Description

Submitted by sahr.lebbie

| rest /services/authentication/current-context | table username roles updated | search username!=splunk-system-user | rex field=updated (?<timestampA>\d{4}-\d{2}-\d+)T(?<timestampB>\d+:\d+:\d+.\d+) | eval timestamp= timestampA + timestampB | eval timestamp = strptime(timestamp, "%Y-%m-%d%H:%M:%S.%3N") | eval timestamp=strftime(timestamp, "%c") |fields - timestampA timestampB
2 3

Comments

1 total

CH
Chris K
2/1/2018

Why not just do this?\r\n\r\n| rest /services/authentication/current-context\r\n| table username roles updated\r\n| search username!=splunk-system-user\r\n| eval timestamp = strftime(strptime(updated, \"%Y-%m-%dT%H:%M:%S.%3N\"), \"%c\")\r\n| fields timestamp

Leave a comment

You must log in to post a comment.

Ad slot: bottom