Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Zulu time

Laurent
Explorer
‎04-29-2024 09:14 AM

Hello

i read many topics on zulu time but i m not able to solde one

i have a date in this way 2024-04-29T12:01:15.710Z i just want it  this way YYYY-MM-DD HH:MM:SS.

i trie this eval latest_time = strptime(latest_time, "%Y-%m-%dT%H:%M:%S.%3N%Z")

and the result is that : 1714363262.904000 

i really don't catch the proble!

Thanks

Laurent

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-29-2024 05:18 PM

Are you saying you want to remove the milliseconds and timezone specifier or are you saying that your epoch time does not convert correctly, as this time in your message 1714363262.904000  is not actually the time 2024-04-29T12:01:15.710Z

When you use strptime to parse that time, you will get a time in your local time. If you are in GMT then it is the same, but here in Australia, I get a time that represents 2024-04-29 22:01:15.710 AEST, i.e. 10 hours later than the Zulu time.

If you are just looking to remove the milliseconds and time zone indicator, then just reformat using 

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

Note that %F is shorthand for %Y-%m-%d and %T is a shortcut for %H:%M:%S

Note that that new time will be in your local time. 

If you don't care about time zones at all and simply want to remove the T, milliseconds and Z then you could just use sed, i.e.

| rex mode=sed field=latest_time "s/\.\d+Z// s/T/ /"

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-29-2024 05:18 PM

Are you saying you want to remove the milliseconds and timezone specifier or are you saying that your epoch time does not convert correctly, as this time in your message 1714363262.904000  is not actually the time 2024-04-29T12:01:15.710Z

When you use strptime to parse that time, you will get a time in your local time. If you are in GMT then it is the same, but here in Australia, I get a time that represents 2024-04-29 22:01:15.710 AEST, i.e. 10 hours later than the Zulu time.

If you are just looking to remove the milliseconds and time zone indicator, then just reformat using 

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

Note that %F is shorthand for %Y-%m-%d and %T is a shortcut for %H:%M:%S

Note that that new time will be in your local time. 

If you don't care about time zones at all and simply want to remove the T, milliseconds and Z then you could just use sed, i.e.

| rex mode=sed field=latest_time "s/\.\d+Z// s/T/ /"

 

 

 

0 Karma
Reply
Solved! Jump to solution

Laurent
Explorer
‎04-30-2024 12:48 AM

Hi, thanks for answering it's work perfectly with that 

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

 

Thanks again for your answer.

Laurent

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2024 01:12 PM

The strptime function converts a timestamp from text format into integer (epoch) format.  To convert from one text format into another, use a combination of strptime and strftime (which converts epochs into text).

| eval latest_time = strftime(strptime(latest_time, "%Y-%m-%dT%H:%M:%S.%3N%Z"), "%Y-%m-%d %H:%M:%S.%3N%Z")

 Or you could use SED to replace the "T" with a space.

| rex mode=sed field=latest_time "s/(\d)T(\d)/\1 \2/"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...