https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77699#M19628 <P>This solution doesn't appear to account for timezone, which Splunk automatically adjusts for. By adding a % before the Z, Splunk will not perform this adjustment, which unless you have your timezone set as GMT you dont want (this assumes its ACTUALLY zulu time).</P> <P>Assuming you dont need to do the hyphen replacement, you can also shorthand the format to "%FT%T.%5N%Z"</P> <P>The solution thus becomes:<BR /> <CODE>eval time = strptime("2013-03-27T21:00:32.950000000Z", "%FT%T.%5N%Z")<BR /> </CODE></P> <P>or<BR /> <CODE>eval time = strptime("2013-03-27T21:00:32.950000000Z", "%Y-%m-%dT%H:%M:%S.%9N%Z")<BR /> </CODE></P> Thu, 25 Feb 2016 21:08:16 GMT Aether 2016-02-25T21:08:16Z https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77695#M19624 <P>Some Windows events report date/time in zulu format: “‎2013‎-‎03‎-‎27T21:00:32.950000000Z”. I want to convert to epoch. Tried “</P> <BLOCKQUOTE> <P>eval pt1=strptime(Previous_Time,"%Y-%m-%dT%H:%M:%S.%9NZ")</P> </BLOCKQUOTE> <P>and some variants. Unfortunately no result. I am obviously overlooking something. Who knows what?</P> Thu, 28 Mar 2013 12:24:40 GMT https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77695#M19624 landzaat 2013-03-28T12:24:40Z https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77696#M19625 <P>This works for me:</P> <PRE><CODE>eval time = strptime("2013-03-27T21:00:32.950000000Z", "%Y-%m-%dT%H:%M:%S.%9NZ") </CODE></PRE> <P>...but only if I type the date in myself. If I copy your date string it fails because the dashes in your date string aren't dashes. Using your copied date string, I need to do this to make it work:</P> <PRE><CODE>eval time = strptime(replace("2013‎-‎03‎-‎27T21:00:32.950000000Z", "\D", ""), "%Y%m%d%H%M%S%9N") </CODE></PRE> Thu, 28 Mar 2013 12:37:02 GMT https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77696#M19625 martin_mueller 2013-03-28T12:37:02Z https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77697#M19626 <P>Thanks. Never thought strings could be not what they look like. Valuable hint for all coming troubleshoots.</P> Thu, 28 Mar 2013 13:31:58 GMT https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77697#M19626 landzaat 2013-03-28T13:31:58Z https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77698#M19627 <P>I've copied your string into my Notepad++ and it comes out as ?-? for the dashes when trying to interpret them as ANSI, gibberish when trying to interpret them as UTF-8</P> Thu, 28 Mar 2013 13:42:36 GMT https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77698#M19627 martin_mueller 2013-03-28T13:42:36Z https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77699#M19628 <P>This solution doesn't appear to account for timezone, which Splunk automatically adjusts for. By adding a % before the Z, Splunk will not perform this adjustment, which unless you have your timezone set as GMT you dont want (this assumes its ACTUALLY zulu time).</P> <P>Assuming you dont need to do the hyphen replacement, you can also shorthand the format to "%FT%T.%5N%Z"</P> <P>The solution thus becomes:<BR /> <CODE>eval time = strptime("2013-03-27T21:00:32.950000000Z", "%FT%T.%5N%Z")<BR /> </CODE></P> <P>or<BR /> <CODE>eval time = strptime("2013-03-27T21:00:32.950000000Z", "%Y-%m-%dT%H:%M:%S.%9N%Z")<BR /> </CODE></P> Thu, 25 Feb 2016 21:08:16 GMT https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77699#M19628 Aether 2016-02-25T21:08:16Z https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77700#M19629 <P>This solution doesn't appear to account for timezone, which Splunk automatically adjusts for. By adding a % before the Z, Splunk will not perform this adjustment, which unless you have your timezone set as GMT you dont want (this assumes its ACTUALLY zulu time).</P> <P>Assuming you dont need to do the hyphen replacement, you can also shorthand the format to "%FT%T.%5N%Z"</P> <P>The solution thus becomes:<BR /> <CODE>eval time = strptime("2013-03-27T21:00:32.950000000Z", "%FT%T.%5N%Z")<BR /> </CODE></P> <P>or<BR /> <CODE>eval time = strptime("2013-03-27T21:00:32.950000000Z", "%Y-%m-%dT%H:%M:%S.%9N%Z")<BR /> </CODE></P> Thu, 25 Feb 2016 21:10:39 GMT https://community.splunk.com/t5/Splunk-Search/Convert-Zulu-time-to-epoch/m-p/77700#M19629 Aether 2016-02-25T21:10:39Z