Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Zulu time

Laurent
Explorer
‎04-29-2024 09:14 AM

Hello

i read many topics on zulu time but i m not able to solde one

i have a date in this way 2024-04-29T12:01:15.710Z i just want it  this way YYYY-MM-DD HH:MM:SS.

i trie this eval latest_time = strptime(latest_time, "%Y-%m-%dT%H:%M:%S.%3N%Z")

and the result is that : 1714363262.904000 

i really don't catch the proble!

Thanks

Laurent

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-29-2024 05:18 PM

Are you saying you want to remove the milliseconds and timezone specifier or are you saying that your epoch time does not convert correctly, as this time in your message 1714363262.904000  is not actually the time 2024-04-29T12:01:15.710Z

When you use strptime to parse that time, you will get a time in your local time. If you are in GMT then it is the same, but here in Australia, I get a time that represents 2024-04-29 22:01:15.710 AEST, i.e. 10 hours later than the Zulu time.

If you are just looking to remove the milliseconds and time zone indicator, then just reformat using 

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

Note that %F is shorthand for %Y-%m-%d and %T is a shortcut for %H:%M:%S

Note that that new time will be in your local time. 

If you don't care about time zones at all and simply want to remove the T, milliseconds and Z then you could just use sed, i.e.

| rex mode=sed field=latest_time "s/\.\d+Z// s/T/ /"

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-29-2024 05:18 PM

Are you saying you want to remove the milliseconds and timezone specifier or are you saying that your epoch time does not convert correctly, as this time in your message 1714363262.904000  is not actually the time 2024-04-29T12:01:15.710Z

When you use strptime to parse that time, you will get a time in your local time. If you are in GMT then it is the same, but here in Australia, I get a time that represents 2024-04-29 22:01:15.710 AEST, i.e. 10 hours later than the Zulu time.

If you are just looking to remove the milliseconds and time zone indicator, then just reformat using 

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

Note that %F is shorthand for %Y-%m-%d and %T is a shortcut for %H:%M:%S

Note that that new time will be in your local time. 

If you don't care about time zones at all and simply want to remove the T, milliseconds and Z then you could just use sed, i.e.

| rex mode=sed field=latest_time "s/\.\d+Z// s/T/ /"

 

 

 

0 Karma
Reply
Solved! Jump to solution

Laurent
Explorer
‎04-30-2024 12:48 AM

Hi, thanks for answering it's work perfectly with that 

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

 

Thanks again for your answer.

Laurent

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2024 01:12 PM

The strptime function converts a timestamp from text format into integer (epoch) format.  To convert from one text format into another, use a combination of strptime and strftime (which converts epochs into text).

| eval latest_time = strftime(strptime(latest_time, "%Y-%m-%dT%H:%M:%S.%3N%Z"), "%Y-%m-%d %H:%M:%S.%3N%Z")

 Or you could use SED to replace the "T" with a space.

| rex mode=sed field=latest_time "s/(\d)T(\d)/\1 \2/"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...