Solved: Time field extraction and transformation

rgaleone1 · ‎12-03-2013

Big Picture: I need to extract a time stamp from my data and pass it in a specific format in a URI GET request to a third party appliance. My issue arises with the format Splunk uses for _time.

Splunk: _time = 2013-12-03T00:46:32.000-05:00
I need: mytime= 2013-11-26T23:59:59-0500
Year-Month-DayT24Hour:Minute:Second-UTCoffset

I came up with a work around macro to get around the extraction and transformation issue. The macro I used is eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S%z"). Downside to using a macro is that it needs to be called at search time by the user. I'd like to use something transparent. I am asking the Splunk community for help. Can this extractions/transformation be done invisibly behind to scenes? Could I use transforms.conf and props.conf?

Ayn · ‎12-03-2013

Yes. You can do EVAL statements in props.conf:

EVAL-mytime = strftime(_time,"%Y-%m-%dT%H:%M:%S%z")

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

View solution in original post

Ayn · ‎12-03-2013

Yes. You can do EVAL statements in props.conf:

EVAL-mytime = strftime(_time,"%Y-%m-%dT%H:%M:%S%z")

http://docs.splunk.com/Documentation/Splunk/latest/admin/Propsconf

Time field extraction and transformation

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

Time field extraction and transformation

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...