topic Re: Add x hours to epoch time in Splunk Enterprise

Add x hours to epoch time

willadams — Wed, 30 Sep 2020 05:01:30 GMT

I have a log that contains multiple time fields

_time (ingest time)
Processed time (processed_time)
Actioned time (actioned_time)
Result time (result_time)

_time or ingest time is configured in props to adjust the timezone (due to no offset in the original log) I need for my timezone so its working fine. However the rest of the fields are just static fields. I went through doing the following for processed time (an example time stamp is Apr 10 2020 05:45:52)

So I wrote the following SPL to convert the static field "processed_time" to epoch

index=foo
| eval epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")
| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S"

What I would like to do is add time to this event. So if I wanted to add 2, 4, 9 hours to this field how would I do that?

I tried doing

| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %:::z +8)

and

| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %Z)

but all this does is set the offset to +8 in this example or the timezone I am in with %Z. I need this time (processed_time) as well as actioned_time and result_time to show me in this example, 8 hours later.

What I also want to know is how do I then put this into something like props or transforms so I don't have to do this via SPL?

Re: Add x hours to epoch time

harishalipaka — Thu, 16 Apr 2020 07:27:45 GMT

hi @willadams

add milliseconds to direct epoch

1 day = 86400
1 hour=3600

| eval epoch_time=strptime(processed_time, "%b %d %Y %H:%M:%S")+3600

Re: Add x hours to epoch time

willadams — Thu, 16 Apr 2020 07:38:38 GMT

Of course that makes perfect sense. Its epoch which is seconds and I was viewing this as hours in my head. Thanks.

Regarding my second query I guess I will just add to props maybe transforms to do it for me..?

Re: Add x hours to epoch time

to4kawa — Thu, 16 Apr 2020 08:19:53 GMT

transforms.conf

INGEST_EVAL = <comma-separated list of evaluator expressions>

try INGEST_EVAL

reference:

| makeresults 
| eval accesstime="Apr 10 2020 05:45:52"
| eval access_epoch=round(strptime(accesstime." +0800","%b %d %Y %T %Z"))
| convert ctime(access_epoch) as check_access_epoch

Re: Add x hours to epoch time

willadams — Fri, 17 Apr 2020 05:12:11 GMT

Still a bit lost here

So would I do this in transforms / props for example

transforms

[myeval]
ingest_eval = epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")+3600, eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S")

ingest_eval2 = epoch_time2(strptime(actioned_time, "%b %d %Y %H:%M:%S")+3600, eval actioned_time_normalized=strftime(epoch_time2, "%b-%d-%Y %H:%M:%S")

props

[mysourcetype]
TRANSFORMS=ingest_eval
TRANSFORMS=ingest_eval2

Re: Add x hours to epoch time

to4kawa — Fri, 17 Apr 2020 10:34:48 GMT

check https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/IngestEval
and correct the mistake

Re: Add x hours to epoch time

willadams — Fri, 17 Apr 2020 11:05:10 GMT

transforms

[myeval]
ingest_eval = epoch_time=(strptime(processed_time, "%b %d %Y %H:%M:%S")+3600, processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S")

[myeval2]

ingest_eval = epoch_time2=(strptime(actioned_time, "%b %d %Y %H:%M:%S")+3600, actioned_time_normalized=strftime(epoch_time2, "%b-%d-%Y %H:%M:%S")

** props **

TRANSFORMS=myeval
TRANSFORMS=myeval2

** fields **

[actioned_time_normalized]
INDEXED = True

[processed_time_normalized]
INDEXED = True

Re: Add x hours to epoch time

to4kawa — Fri, 17 Apr 2020 11:47:58 GMT

TRANSFORMS-<class> = <transform_stanza_name>, <transform_stanza_name2>,...

props.conf

TRANSFORMS-myevals=myeval, myeval2

and The rest looks good, let's reboot and check new events. how?

Re: Add x hours to epoch time

willadams — Fri, 17 Apr 2020 12:06:25 GMT

They should come up within the sourcetype as an indexed field.

Thanks @to4kawa !!!

Re: Add x hours to epoch time

to4kawa — Fri, 17 Apr 2020 12:14:07 GMT

good job! Happy Splunking!
and thank you @willadams
You are finding the answer yourself.

Re: Add x hours to epoch time

willadams — Fri, 17 Apr 2020 13:01:19 GMT

Thank you for the guidance @to4kawa