topic Re: How to extract time and format using regex? in Splunk Search

How to extract time and format using regex?

ninisimonishvil — Wed, 29 Aug 2018 11:11:18 GMT

Hello fellows,

I have an issue that I'm not really sure how to solve.

Well in event I have time in following format "datetime":"20180829 073501672".

I have created a regex that will extract this line but now I need to format it following way 2018 08 29 07:35:01:672.

Any suggestions?

Re: How to extract time and format using regex?

inventsekar — Wed, 29 Aug 2018 11:36:07 GMT

Convert it into a date type variable using strptime and then format it using stftime -

yoursearch....| eval datetimeNEW=strftime(strptime(datetime, "%Y%m%d %H%M%S%3Q"), "%Y %m %d %H:%M:%S:%3Q")

Re: How to extract time and format using regex?

ninisimonishvil — Wed, 29 Aug 2018 11:48:23 GMT

Thanks it worked. however now with this, I will not be able to make _time (index time) = datetimeNEW correct?

Re: How to extract time and format using regex?

inventsekar — Tue, 29 Sep 2020 21:04:59 GMT

you can use _time inside the strptime command...
eval datetimeNEW=strftime(strptime(_time, "%Y%m%d %H%M%S%3Q"), "%Y %m %d %H:%M:%S:%3Q")

Re: How to extract time and format using regex?

ninisimonishvil — Wed, 29 Aug 2018 13:31:15 GMT

sorry for confusion what I meant is that I don't want _time to be equal to index time (that's what splunk does right now) I want it to use my datetimeNEW as a _time.

Re: How to extract time and format using regex?

inventsekar — Wed, 29 Aug 2018 14:39:06 GMT

well, once the data is indexed, we can not / should not update the timestamp "_time ".
maybe, if you update us the more clear info about your issue, there can be some workaround.

Re: How to extract time and format using regex?

ninisimonishvil — Thu, 06 Sep 2018 09:15:11 GMT

one more question, how can I make a small change in my datetimnew? something like eval eval newtime=datetimenew+4 hours?

Re: How to extract time and format using regex?

inventsekar — Tue, 29 Sep 2020 21:09:13 GMT

from Ayn's answer at - https://answers.splunk.com/answers/103552/adding-seconds-to-time.html

_time is actually in epoch format, Splunk just converts the format automatically before showing it to you so that it's human readable. So, to add 4 seconds, just do eval _time=_time+4.

Note that this is purely a search-time operation - if you want to do this at index-time the problem is much more complex because functions for performing arithmetic etc are not available.

so, do the strptime/strftime conversions after adding the 4hrs to _time..
you can easily add 4 hours to _time like -
eval _time=_time+14400

Re: How to extract time and format using regex?

ninisimonishvil — Thu, 06 Sep 2018 10:13:59 GMT

thank, I did that, but however not getting results.
with eval newtime=datetimenew I see new field newtime in list but as soon as I add
eval newtime=datetimenew+14400 no results.

Re: How to extract time and format using regex?

inventsekar — Thu, 06 Sep 2018 10:33:35 GMT

check these...
| eval newtime=_time+14400
| eval datetimeNEW=strftime(strptime(newtime, "%Y%m%d %H%M%S%3Q"), "%Y %m %d %H:%M:%S:%3Q")

or

| eval datetimenew_epoch = strptime('datetimenew', "%Y %m %d %H:%M:%S:%3Q")
| eval datetimeAdded = datetimenew_epoch + 14400
| eval datetimeResult = strftime(datetimeAdded,  "%Y %m %d %H:%M:%S:%3Q")

Re: How to extract time and format using regex?

ninisimonishvil — Thu, 06 Sep 2018 13:09:57 GMT

yes thanks! I just messed up with parentheses.