Additional clarifications on time module and formatting

[kris-watts-gravwell]

Referencing this: https://docs.gravwell.io/search/time/time.html

What is the enhancement to be made?

the -f flag is a little unclear that it it is for input and output. A few more examples would be good.

I would like to see an example that shows how to take an EV that is a string, turn it into a timestamp, then format it to another output:

This query felt like it should have puked out the two outtime evs with the specified format:

tag=testxml first 
| xml event[time] 
| time -f "Mon Jan _2 15:04:05 2006 MST" TIMESTAMP outtime1 
| time -f "Mon Jan _2 15:04:05 2006 MST" time outtime2
| table TIMESTAMP time outtime1 outtime2

But what i REALLY needed was:

time time outtime2 | time -f ... outtime2 what_i_really_wanted

Why should we make this change? (Business justification? What problem is the feature trying to solve?)

Just add another example or two of what it looks like to take a timestamp and reformat it for human consumption in query.

Any other comments?

...

[ashnwade]

potentially puntable. fritz expressed wanting to do some changes to the module itself