Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

convert extracted time from log to start_time

awedmondson
Explorer
‎11-27-2014 07:54 AM

I have extracted an event time as a field from an event as
Nov 27, 2014 9:42

presently I have:
convert timeformat="%m/%d/%Y %H:%M:%S" ctime(_time) AS start_time
But for some reason, splunk occasional reads the event time stamp 8 hours out, so I have extracted Nov 27, 2014 9:42, question is how can I get it as start_time

thanks

Tags (2)
0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎11-27-2014 09:11 AM

You're looking at "Nov 27,2014" but are parsing "%m/%d/%Y" - those two don't fit together. This works for me:

| stats count | eval event_time = "Nov 27, 2014 9:42" | eval start_time = strptime(event_time, "%b %d, %Y %H:%M") | eval test = strftime(start_time, "%+")

The test field is there to confirm the parsing worked correctly. Note I'm looking for "%b %d, %Y" for the date which matches "Nov 27, 2014".

Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...