https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229961#M68136 <P>Before you jump on doing all the calculation and conversions, the _time is a special field in Splunk whose actual value is already in epoch format but displayed in human readable format when show in Splunk UI. Any operation done with value of _time is already in epoch. If you want to see the epoch value of it, just create a new field with same value as _time </P> <PRE><CODE>your base search | eval Processed_time=_time | table Processed_Time </CODE></PRE> Wed, 02 Mar 2016 19:22:18 GMT somesoni2 2016-03-02T19:22:18Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229958#M68133 <PRE><CODE>_time 2016-03-02 07:00:13.405 </CODE></PRE> <P>Above _time is the data format in the logs. I need to find difference between a few dates, so I'm trying to convert to epoch<BR /> Used the following search, but when I table the output, I don't get the converted time:</P> <PRE><CODE>| eval Processedtime=strptime(_time,"%Y-%m-%d %H:%M:%S") | table Processedtime </CODE></PRE> <P>Appreciate any suggestions.</P> Wed, 02 Mar 2016 07:18:27 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229958#M68133 arunsubram 2016-03-02T07:18:27Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229959#M68134 <P>hi,<BR /> You will have to use "%s" ... you can refer <A href="http://docs.splunk.com/Documentation/Splunk/6.3.2/SearchReference/Commontimeformatvariables">here</A> for details.<BR /> Eg:<BR /> <CODE>| eval Processedtime=strptime(_time,"%s") | table _time,Processedtime</CODE></P> Wed, 02 Mar 2016 18:59:44 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229959#M68134 Yasaswy 2016-03-02T18:59:44Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229960#M68135 <P>Before going through the pin of converting epoch, maybe the "delta" command will do what you are looking to achieve. Delta will compute the difference between nearby results using the value of a specific numeric field. When used on the _time field it returns the difference in seconds.</P> Wed, 02 Mar 2016 19:02:46 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229960#M68135 bgraabek_splunk 2016-03-02T19:02:46Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229961#M68136 <P>Before you jump on doing all the calculation and conversions, the _time is a special field in Splunk whose actual value is already in epoch format but displayed in human readable format when show in Splunk UI. Any operation done with value of _time is already in epoch. If you want to see the epoch value of it, just create a new field with same value as _time </P> <PRE><CODE>your base search | eval Processed_time=_time | table Processed_Time </CODE></PRE> Wed, 02 Mar 2016 19:22:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229961#M68136 somesoni2 2016-03-02T19:22:18Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229962#M68137 <P>thanks this worked. </P> Thu, 03 Mar 2016 07:01:01 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229962#M68137 arunsubram 2016-03-03T07:01:01Z https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229963#M68138 <P>Noted, Thanks for the answer</P> Thu, 10 Jan 2019 07:52:55 GMT https://community.splunk.com/t5/Splunk-Search/Why-am-I-unable-to-convert-time-to-epoch-with-my-search/m-p/229963#M68138 christian_miran 2019-01-10T07:52:55Z