Knowledge Management
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

convert extracted time from log to start_time

awedmondson
Explorer
‎11-27-2014 07:54 AM

I have extracted an event time as a field from an event as
Nov 27, 2014 9:42

presently I have:
convert timeformat="%m/%d/%Y %H:%M:%S" ctime(_time) AS start_time
But for some reason, splunk occasional reads the event time stamp 8 hours out, so I have extracted Nov 27, 2014 9:42, question is how can I get it as start_time

thanks

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-27-2014 09:11 AM

You're looking at "Nov 27,2014" but are parsing "%m/%d/%Y" - those two don't fit together. This works for me:

| stats count | eval event_time = "Nov 27, 2014 9:42" | eval start_time = strptime(event_time, "%b %d, %Y %H:%M") | eval test = strftime(start_time, "%+")

The test field is there to confirm the parsing worked correctly. Note I'm looking for "%b %d, %Y" for the date which matches "Nov 27, 2014".

Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top