Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Zulu time

Laurent
Explorer
‎04-29-2024 09:14 AM

Hello

i read many topics on zulu time but i m not able to solde one

i have a date in this way 2024-04-29T12:01:15.710Z i just want it  this way YYYY-MM-DD HH:MM:SS.

i trie this eval latest_time = strptime(latest_time, "%Y-%m-%dT%H:%M:%S.%3N%Z")

and the result is that : 1714363262.904000 

i really don't catch the proble!

Thanks

Laurent

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-29-2024 05:18 PM

Are you saying you want to remove the milliseconds and timezone specifier or are you saying that your epoch time does not convert correctly, as this time in your message 1714363262.904000  is not actually the time 2024-04-29T12:01:15.710Z

When you use strptime to parse that time, you will get a time in your local time. If you are in GMT then it is the same, but here in Australia, I get a time that represents 2024-04-29 22:01:15.710 AEST, i.e. 10 hours later than the Zulu time.

If you are just looking to remove the milliseconds and time zone indicator, then just reformat using 

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

Note that %F is shorthand for %Y-%m-%d and %T is a shortcut for %H:%M:%S

Note that that new time will be in your local time. 

If you don't care about time zones at all and simply want to remove the T, milliseconds and Z then you could just use sed, i.e.

| rex mode=sed field=latest_time "s/\.\d+Z// s/T/ /"

 

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎04-29-2024 05:18 PM

Are you saying you want to remove the milliseconds and timezone specifier or are you saying that your epoch time does not convert correctly, as this time in your message 1714363262.904000  is not actually the time 2024-04-29T12:01:15.710Z

When you use strptime to parse that time, you will get a time in your local time. If you are in GMT then it is the same, but here in Australia, I get a time that represents 2024-04-29 22:01:15.710 AEST, i.e. 10 hours later than the Zulu time.

If you are just looking to remove the milliseconds and time zone indicator, then just reformat using 

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

Note that %F is shorthand for %Y-%m-%d and %T is a shortcut for %H:%M:%S

Note that that new time will be in your local time. 

If you don't care about time zones at all and simply want to remove the T, milliseconds and Z then you could just use sed, i.e.

| rex mode=sed field=latest_time "s/\.\d+Z// s/T/ /"

 

 

 

0 Karma
Reply
Solved! Jump to solution

Laurent
Explorer
‎04-30-2024 12:48 AM

Hi, thanks for answering it's work perfectly with that 

| eval latest_time=strftime(strptime(latest_time, "%FT%T.%Q%Z"), "%F %T")

 

Thanks again for your answer.

Laurent

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-29-2024 01:12 PM

The strptime function converts a timestamp from text format into integer (epoch) format.  To convert from one text format into another, use a combination of strptime and strftime (which converts epochs into text).

| eval latest_time = strftime(strptime(latest_time, "%Y-%m-%dT%H:%M:%S.%3N%Z"), "%Y-%m-%d %H:%M:%S.%3N%Z")

 Or you could use SED to replace the "T" with a space.

| rex mode=sed field=latest_time "s/(\d)T(\d)/\1 \2/"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...

Customer success is front and center at .conf25

Hi Splunkers, If you are not able to be at .conf25 in person, you can still learn about all the latest news ...

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...