https://community.splunk.com/t5/Splunk-Search/How-can-I-convert-my-time-format-to-epoch-time/m-p/318598#M95292 <P>You are nearly right - I think your only problem is that you are quoting your field inside the <CODE>strptime</CODE> - when you quote it Splunk treats is as a string with a value of "Duration" and tries to extract Hours, Minutes and Seconds from the <STRONG>word</STRONG> "Duration", not the field.</P> <P>Try</P> <PRE><CODE>eval "Duration"=strptime(Duration, "%Hh:%Mm:%Ss") </CODE></PRE> <P>If your "Duration" field ever has spaces, you can use <EM>single</EM> quotes to quote it and it'll work. See all three (No quotes, single quotes and regular quotes) in the below "run anywhere" example.</P> <PRE><CODE>| makeresults | eval dur1="9h:42m:32s" | eval "edur1"=strptime("dur1", "%Hh:%Mm:%Ss") | eval "edur2"=strptime('dur1', "%Hh:%Mm:%Ss") | eval "edur3"=strptime(dur1, "%Hh:%Mm:%Ss") </CODE></PRE> <P>Notice it doesn't return "edur1".</P> <PRE><CODE> _time dur1 edur2 edur3 2017-02-25 07:01:47 9h:42m:32s 1488037352.000000 1488037352.000000 </CODE></PRE> Sat, 25 Feb 2017 13:08:06 GMT Richfez 2017-02-25T13:08:06Z https://community.splunk.com/t5/Splunk-Search/How-can-I-convert-my-time-format-to-epoch-time/m-p/318596#M95290 <P>Format i have in Splunk:- Duration as 9h:42m:32s</P> <P>I tried to use below search but it didn't worked.</P> <PRE><CODE>eval "Duration"=strptime("Duration", "%Hh:%Mm:%Ss")| </CODE></PRE> <P>Thanks in Advance</P> Sat, 25 Feb 2017 07:31:34 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-convert-my-time-format-to-epoch-time/m-p/318596#M95290 m7787580 2017-02-25T07:31:34Z https://community.splunk.com/t5/Splunk-Search/How-can-I-convert-my-time-format-to-epoch-time/m-p/318597#M95291 <P>That value is not compatible with converting to epoch time because Splunk doesn't know when the time starts. The <CODE>strptime</CODE> function expects you are sending it some form of wall clock time, not a duration. </P> <P>So, what is the start time, and what output would you really like to see: a clock time, or the number of seconds that duration represents (e.g., 34,952 seconds)?</P> Sat, 25 Feb 2017 12:35:29 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-convert-my-time-format-to-epoch-time/m-p/318597#M95291 rjthibod 2017-02-25T12:35:29Z https://community.splunk.com/t5/Splunk-Search/How-can-I-convert-my-time-format-to-epoch-time/m-p/318598#M95292 <P>You are nearly right - I think your only problem is that you are quoting your field inside the <CODE>strptime</CODE> - when you quote it Splunk treats is as a string with a value of "Duration" and tries to extract Hours, Minutes and Seconds from the <STRONG>word</STRONG> "Duration", not the field.</P> <P>Try</P> <PRE><CODE>eval "Duration"=strptime(Duration, "%Hh:%Mm:%Ss") </CODE></PRE> <P>If your "Duration" field ever has spaces, you can use <EM>single</EM> quotes to quote it and it'll work. See all three (No quotes, single quotes and regular quotes) in the below "run anywhere" example.</P> <PRE><CODE>| makeresults | eval dur1="9h:42m:32s" | eval "edur1"=strptime("dur1", "%Hh:%Mm:%Ss") | eval "edur2"=strptime('dur1', "%Hh:%Mm:%Ss") | eval "edur3"=strptime(dur1, "%Hh:%Mm:%Ss") </CODE></PRE> <P>Notice it doesn't return "edur1".</P> <PRE><CODE> _time dur1 edur2 edur3 2017-02-25 07:01:47 9h:42m:32s 1488037352.000000 1488037352.000000 </CODE></PRE> Sat, 25 Feb 2017 13:08:06 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-convert-my-time-format-to-epoch-time/m-p/318598#M95292 Richfez 2017-02-25T13:08:06Z https://community.splunk.com/t5/Splunk-Search/How-can-I-convert-my-time-format-to-epoch-time/m-p/318599#M95293 <P>Do you want to convert your duration to epoch time or convert it to number of seconds? If it's later, try like this</P> <PRE><CODE>your current search | eval Duration=replace(Duration,"[hms]","") | convert dur2sec(Duration) as Duration </CODE></PRE> <P>OR</P> <PRE><CODE>your current search | eval Duration=strptime(Duration,"%Hh:%Mm:%Ss")-relative_time(now(),"@d") </CODE></PRE> Sat, 25 Feb 2017 20:16:35 GMT https://community.splunk.com/t5/Splunk-Search/How-can-I-convert-my-time-format-to-epoch-time/m-p/318599#M95293 somesoni2 2017-02-25T20:16:35Z