| makeresults
| eval start="2024-04-30T11:59:24.123Z"
| eval start=strftime(strptime(start, "%FT%T.%Q%Z"), "%F %T")

This works which would seem to suggest that the values you have in start (and end) are not in this format. Please can you share some examples which aren't working?

The date transformation is working, i test it. My concerned is how(where) to insert it in my search query . When i add the transfo at the end of the query nothing happen.

Here my full request which display a table well structured but with the date end and start date in this format 2024-04-30T12:01:04.215Z and not in this one 2024-04-30 14:01:04

search | table guid  property value| | xyseries guid property value | fields guid start end duration status | eval start=strftime(strptime(start, "%FT%T.%Q%Z"), "%F %T")

Here is a runanywhere example showing it working

| makeresults
| eval guid=1
| eval property="start"
| eval value="2024-04-30T12:01:04.215Z"
| xyseries guid property value
| eval start=strftime(strptime(start, "%FT%T.%Q%Z"), "%F %T")

Please share some actual examples (anonymised of course) where this technique does not work

Thanks it's work great.

Is there a way to order the value of the column property?

Hello ,

 | fields guid start end duration status 

is there  way to reformat a field for exemple here the start? i want to apply the format done by that :

| eval start=strftime(strptime(start, "%FT%T.%Q%Z"), "%F %T")  

Thanks

LAurent

Firstly, this seems to be a different question. Secondly, haven't you already received and accepted a solution here 

Yes but is it to apply the result of the date reformating provided into a fields of this answer :).  But i can open a new topic if necessary

OK assuming your start and end fields match the timestamp format you are using to parse, then this should work for both fields (but your example data doesn't show it as such). Have you tried it?

i have test the format directly to the value it's work.

my concerne is to apply it after the xseries on =>  | fields guid start end duration status .

On the result of the field start if i put the eval at the end it doesn't work.

Exactly what have you tried and exactly what doesn't work? What results / errors messages do you get?

Hello, thanks for answering

there is no errors the time formating is not take into account here my query:

<query>index="xxx"  earliest=$timerange.earliest$ latest=$timerange.latest$ | table guid, "parameter", "value"| xyseries "guid", "parameter", "value" | fields "guid" "type" "Start Time" "End Time" "Duration"  | eval fields "Start Time" = strftime("Start Time", "%d/%m/%y %H:%M:%S") | sort 0 - "Start Time" </query>

as i explained start time is not reformated as expected it's on orignal format!

guid type start time end time duration        

thanks

Laurent

Is "Start Time" an epoch time?

If not, you need to parse it to an epoch time before formatting to a different format. Since you are sorting, you should parse, sort, then format.

Hello

no start time is in this format 2024-05-20T04:00:53.847Z and after the eval the result is the same 2024-05-20T04:00:53.847Z ! how to put on epoch time and transform it?

thanks

Laurent

You need to use strptime() to parse the time string into an epoch time.

Hello

i have done the following query but this is not affecting the result of the column Start Time on the result! 

eval fields "Start Time" = strftime(strptime("Start Time", "%FT%T.%Q%Z"), "%F %T") | reverse

When i try directly on the value of this fields whith a query  it's works!

index="xxx" x   |  table "Interface" "Status"| stats latest("Status") as latest_time by "Interface"| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T") | sort 0 - latest_time

i think it's more a problem with the position of the eval on the query which doesn't affect the display!

thanks

Laurent

When you use a field name with embedded spaces on the right hand side of an assignment, it should be in single quotes (not double quotes)

eval "Start Time" = strftime(strptime('Start Time', "%FT%T.%Q%Z"), "%F %T") | reverse

Hello

many thanks for the feedback now it's working perfectly, it was the story of the simple quote instead of the double 👍 thanks again