topic Conversion to UNIX time in Splunk Search

Conversion to UNIX time

zacksoft — Wed, 07 Feb 2018 08:36:19 GMT

I want to convert my default _time field to UNIX/Epoch time and have it in a different field. This is how the Time field looks now.

2/7/18

3:35:10.531 AM

Re: Conversion to UNIX time

FrankVl — Tue, 29 Sep 2020 17:58:17 GMT

That's just how _time automatically get's presented, under the hood, it is still a UNIX timestamp value. So you can simply do:
| eval mytime=_time

Re: Conversion to UNIX time

zacksoft — Tue, 29 Sep 2020 18:01:04 GMT

If it is internally represented at epoch time, then can math functions be applied to _time field directly ? i.e. new_time = _time + 30m ('new_time' is the time after 30 minutes) ..something like this ?

Re: Conversion to UNIX time

493669 — Wed, 07 Feb 2018 08:54:40 GMT

_time is already in epoch format...
so try:

...|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")

but if time is in different field then try this run anywhere search:

| makeresults |eval time="2/7/18 3:35:10.531 AM"|eval Time=strptime(time,"%m/%d/%y %I:%M:%S.%3N %p")

Re: Conversion to UNIX time

zacksoft — Wed, 07 Feb 2018 08:58:23 GMT

Can I perform math functions like add/subtract to the time field after using
|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") ?

example new_time = time +39s ??

Re: Conversion to UNIX time

493669 — Wed, 07 Feb 2018 08:59:01 GMT

so you have to convert min into sec. and then add. here 30m=30*60sec

new_time=_time+1800|eval new_time=strftime(new_time,"%Y-%m-%d %H:%M:%S")

Re: Conversion to UNIX time

493669 — Wed, 07 Feb 2018 08:59:50 GMT

so you have to convert min into sec. and then add. here 30m=30*60sec

new_time=_time+1800|eval new_time=strftime(new_time,"%Y-%m-%d %H:%M:%S")

Re: Conversion to UNIX time

493669 — Wed, 07 Feb 2018 09:02:48 GMT

you have to perform math before strftime function

Re: Conversion to UNIX time

mayurr98 — Wed, 07 Feb 2018 09:51:46 GMT

hey @zacksoft

You can use strftime(X,Y) to convert in a specified time format in Y and strptime(X,Y) to convert the same in epoch time.
have a look at this doc
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/DateandTimeFunctions#strftime.28X.2CY.29

For time format, you can have a look at this doc
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Try this run anywhere search for more:

| gentimes start=-1 end=20 
| eval Endtime=strftime(endtime,"%d/%m/%Y %H:%M:%S"),Starttime=strftime(starttime,"%d/%m/%Y %H:%M:%S"),Starthuman=strptime(starthuman,"%a %b %d %H:%M:%S %Y"),Endhuman=strptime(endhuman,"%a %b %d %H:%M:%S %Y") 
| table starttime Starttime endtime Endtime starthuman Starthuman endhuman Endhuman

let me know if this helps!