index=myindex | eval originaltime=strptime(eventTime, "%b %d, %Y %H:%M:%S %p")
Some sample values of eventTime parameter are
Dec 04, 2014 12:31:57 PM
Dec 04, 2014 12:31:58 PM
Dec 04, 2014 12:31:50 PM
Why is %p not recognizing PM? The value of originaltime is always AM. E.g: if the eventTIme is 1:30 PM today, then the originaltime gets the epoch time for 1:30 AM today. Somehow %p is not recognizing %p. Any suggestions??
Splunk verion: 6.1.3
I was having the same issue with the following timestamp on a custom sourcetype: 12:04:36.260353 AM. Using Timestamp format %H:%M:%S.%6N %P was indexing the data as PM for AM. Changed to %I:%M:%S.%6N %P and it now works.
I think you must replace the %H by %I
index=myindex | eval originaltime=strptime(eventTime, "%b %d, %Y %I:%M:%S %p")