topic calculated fields with strptime in Splunk Search

calculated fields with strptime

Bastelhoff — Fri, 23 Apr 2021 16:59:11 GMT

Hey there,

I have a _raw where I am extracting a timestamp. But this is in a bad format. So I wanted to have a "calculated field" (via the splunk interface option, not in the conf to which I dont have access). But while other calculated fields seem to work.
basically I have a field called "exTimeString". I want to create a calculated field exTimeStamp What I put into the eval field is:
strptime(exTimeString,"%Y-%m-%dT%H:%M:%S")

Unfortunately it doesn't work. Is it because of the strptime? Ormaybe the % characters cause issues here?

Re: calculated fields with strptime

ITWhisperer — Fri, 23 Apr 2021 17:26:43 GMT

What is not working (because it looks like you have strptime correct)?

| eval exTimeStamp=strptime(exTimeString,"%Y-%m-%dT%H:%M:%S")

Can you share a sample event and how you have extracted exTimeString from it?

Re: calculated fields with strptime

Bastelhoff — Fri, 23 Apr 2021 17:56:04 GMT

Yeah, this eval works when I just convert the extracted field at runtime. But I'd like to have it calculated via "Calculated Fields" (as in Settings->Fields->Calculated Fields)

The original extraction is:
\"summary\"\:\"\{.*?\"timestamp\\\"\:\\\"(?<exTimeString>.*?)\\\".*?\}

This then correctly generates a field exTimeString with content like
2021-04-23T17:27:21.000Z

If I do a search with
index=myIndex
|table exTimeString
| eval exTimeStamp=strptime(exTimeString,"%Y-%m-%dT%H:%M:%S")

that also works and returns a valid timstamp (which for example I could use as _time in timecharts)

but if I put
strptime(exTimeString,"%Y-%m-%dT%H:%M:%S")

into calculated fields instead, it does not work. The calculated field just doesnt show up.