Solved: Zulu time

Laurent

Hello

i read many topics on zulu time but i m not able to solde one

i have a date in this way 2024-04-29T12:01:15.710Z i just want it this way YYYY-MM-DD HH:MM:SS.

i trie this eval latest_time = strptime(latest_time, "%Y-%m-%dT%H:%M:%S.%3N%Z")

and the result is that : 1714363262.904000

i really don't catch the proble!

Thanks

Laurent

bowesmana

Are you saying you want to remove the milliseconds and timezone specifier or are you saying that your epoch time does not convert correctly, as this time in your message 1714363262.904000 is not actually the time 2024-04-29T12:01:15.710Z

When you use strptime to parse that time, you will get a time in your local time. If you are in GMT then it is the same, but here in Australia, I get a time that represents 2024-04-29 22:01:15.710 AEST, i.e. 10 hours later than the Zulu time.

If you are just looking to remove the milliseconds and time zone indicator, then just reformat using

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

Note that %F is shorthand for %Y-%m-%d and %T is a shortcut for %H:%M:%S

Note that that new time will be in your local time.

If you don't care about time zones at all and simply want to remove the T, milliseconds and Z then you could just use sed, i.e.

| rex mode=sed field=latest_time "s/\.\d+Z// s/T/ /"

View solution in original post

bowesmana

Are you saying you want to remove the milliseconds and timezone specifier or are you saying that your epoch time does not convert correctly, as this time in your message 1714363262.904000 is not actually the time 2024-04-29T12:01:15.710Z

When you use strptime to parse that time, you will get a time in your local time. If you are in GMT then it is the same, but here in Australia, I get a time that represents 2024-04-29 22:01:15.710 AEST, i.e. 10 hours later than the Zulu time.

If you are just looking to remove the milliseconds and time zone indicator, then just reformat using

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

Note that %F is shorthand for %Y-%m-%d and %T is a shortcut for %H:%M:%S

Note that that new time will be in your local time.

If you don't care about time zones at all and simply want to remove the T, milliseconds and Z then you could just use sed, i.e.

| rex mode=sed field=latest_time "s/\.\d+Z// s/T/ /"

Laurent

Hi, thanks for answering it's work perfectly with that

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

Thanks again for your answer.

Laurent

richgalloway

The strptime function converts a timestamp from text format into integer (epoch) format. To convert from one text format into another, use a combination of strptime and strftime (which converts epochs into text).

| eval latest_time = strftime(strptime(latest_time, "%Y-%m-%dT%H:%M:%S.%3N%Z"), "%Y-%m-%d %H:%M:%S.%3N%Z")

Or you could use SED to replace the "T" with a space.

| rex mode=sed field=latest_time "s/(\d)T(\d)/\1 \2/"

---
If this reply helps you, Karma would be appreciated.

Zulu time

data

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?