https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316928#M94816 <P>I can't seem to get the above snippet to change my Ephoch timestamp column to readable date - what am I doing wrong:</P> <P>(index="wsecu_apps" OR index="wsecu_mobile_app") (username="<EM>" AND Useragent="</EM>" AND http_method=POST) OR (username="<EM>" AND http_user_agent="</EM>") | table username, http_user_agent, Useragent, eval timestamp = strptime(timestamp, "%m/%d/%Y %H:%M"),I'm still getting strangness.</P> <P>Here is my query, the "timestamp" column is in the Epoch time and I just wanted to convert it to readable date:<BR /> (index="wsecu_apps" OR index="wsecu_mobile_app") (username="<EM>" AND Useragent="</EM>" AND http_method=POST) OR (username="<EM>" AND http_user_agent="</EM>") | table username, http_user_agent, Useragent, eval timestamp = strptime(timestamp, "%m/%d/%Y %H:%M")</P> <P>The query won't even run.</P> Wed, 30 Sep 2020 02:06:28 GMT hortoristic 2020-09-30T02:06:28Z https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316924#M94812 <P>Hi</P> <P>I'm trying to convert a certain date to epoch time to calculate it with the current time. But for some reason it didn't work.</P> <P>Here's my query:</P> <PRE><CODE>index="sample_data" sourcetype="management_sampledata.csv" Status!=Closed | eval reported_date = strptime("Reported Date", "%m/%d/%Y %H:%M") | eval timenow = now() </CODE></PRE> <P>The <CODE>eval timenow = now()</CODE> worked and it created a new field named "timenow". But the <CODE>eval reported_date=strptime("Reported Date", "%m/%d/%Y %H:%M")</CODE> didn't work. It does not create a new field named "reported_date" and so it did not convert the "Reported Date" to epoch time.</P> <P>What could be the problem with this query.</P> <P>Thanks in advance!</P> Fri, 01 Dec 2017 09:20:48 GMT https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316924#M94812 jvmerilla 2017-12-01T09:20:48Z https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316925#M94813 <P>Hi @jvmerilla,</P> <P>You are facing problem because there is whitespace in your Date field name you are giving it in <CODE>"</CODE> in <CODE>strptime</CODE> so please use below query</P> <PRE><CODE> index="sample_data" sourcetype="management_sampledata.csv" Status!=Closed | rename "Reported Date" AS Reported_Date | eval reported_date = strptime(Reported_Date, "%m/%d/%Y %H:%M") | eval timenow = now() </CODE></PRE> <P>I hope this helps.</P> <P>Thanks,<BR /> Harshil</P> Fri, 01 Dec 2017 09:28:54 GMT https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316925#M94813 harsmarvania57 2017-12-01T09:28:54Z https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316926#M94814 <P>Hi @harsmarvania57,</P> <P>It works!</P> <P>Thank you so much! <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 01 Dec 2017 09:33:16 GMT https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316926#M94814 jvmerilla 2017-12-01T09:33:16Z https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316927#M94815 <P>You can use as it is:</P> <P><CODE>index="sample_data" sourcetype="management_sampledata.csv" Status!=Closed<BR /> | eval reported_date = strptime('Reported Date', "%m/%d/%Y %H:%M")<BR /> | eval timenow = now()</CODE></P> <P>Just need to use single quotes instead of double quotes.</P> Thu, 21 Dec 2017 08:00:00 GMT https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316927#M94815 dsiob 2017-12-21T08:00:00Z https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316928#M94816 <P>I can't seem to get the above snippet to change my Ephoch timestamp column to readable date - what am I doing wrong:</P> <P>(index="wsecu_apps" OR index="wsecu_mobile_app") (username="<EM>" AND Useragent="</EM>" AND http_method=POST) OR (username="<EM>" AND http_user_agent="</EM>") | table username, http_user_agent, Useragent, eval timestamp = strptime(timestamp, "%m/%d/%Y %H:%M"),I'm still getting strangness.</P> <P>Here is my query, the "timestamp" column is in the Epoch time and I just wanted to convert it to readable date:<BR /> (index="wsecu_apps" OR index="wsecu_mobile_app") (username="<EM>" AND Useragent="</EM>" AND http_method=POST) OR (username="<EM>" AND http_user_agent="</EM>") | table username, http_user_agent, Useragent, eval timestamp = strptime(timestamp, "%m/%d/%Y %H:%M")</P> <P>The query won't even run.</P> Wed, 30 Sep 2020 02:06:28 GMT https://community.splunk.com/t5/Splunk-Search/Converting-date-to-epoch-time/m-p/316928#M94816 hortoristic 2020-09-30T02:06:28Z