Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add x hours to epoch time

willadams
Contributor
‎04-15-2020 11:48 PM

I have a log that contains multiple time fields

  • _time (ingest time)
  • Processed time (processed_time)
  • Actioned time (actioned_time)
  • Result time (result_time)

_time or ingest time is configured in props to adjust the timezone (due to no offset in the original log) I need for my timezone so its working fine. However the rest of the fields are just static fields. I went through doing the following for processed time (an example time stamp is Apr 10 2020 05:45:52)

So I wrote the following SPL to convert the static field "processed_time" to epoch

index=foo
| eval epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")
| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S"

What I would like to do is add time to this event. So if I wanted to add 2, 4, 9 hours to this field how would I do that?

I tried doing

| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %:::z +8)

and 

| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %Z)

but all this does is set the offset to +8 in this example or the timezone I am in with %Z. I need this time (processed_time) as well as actioned_time and result_time to show me in this example, 8 hours later.

What I also want to know is how do I then put this into something like props or transforms so I don't have to do this via SPL?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 01:19 AM

transforms.conf

INGEST_EVAL = <comma-separated list of evaluator expressions>

try INGEST_EVAL

reference:

| makeresults 
| eval accesstime="Apr 10 2020 05:45:52"
| eval access_epoch=round(strptime(accesstime." +0800","%b %d %Y %T %Z"))
| convert ctime(access_epoch) as check_access_epoch

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 01:19 AM

transforms.conf

INGEST_EVAL = <comma-separated list of evaluator expressions>

try INGEST_EVAL

reference:

| makeresults 
| eval accesstime="Apr 10 2020 05:45:52"
| eval access_epoch=round(strptime(accesstime." +0800","%b %d %Y %T %Z"))
| convert ctime(access_epoch) as check_access_epoch
0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-16-2020 10:12 PM

Still a bit lost here

So would I do this in transforms / props for example

transforms

[myeval]
ingest_eval = epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")+3600, eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S")

ingest_eval2 = epoch_time2(strptime(actioned_time, "%b %d %Y %H:%M:%S")+3600, eval actioned_time_normalized=strftime(epoch_time2, "%b-%d-%Y %H:%M:%S")

props

[mysourcetype]
TRANSFORMS=ingest_eval
TRANSFORMS=ingest_eval2
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 03:34 AM

check https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/IngestEval
and correct the mistake

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 04:05 AM

So

transforms

[myeval]
ingest_eval = epoch_time=(strptime(processed_time, "%b %d %Y %H:%M:%S")+3600, processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S")

[myeval2]

ingest_eval = epoch_time2=(strptime(actioned_time, "%b %d %Y %H:%M:%S")+3600, actioned_time_normalized=strftime(epoch_time2, "%b-%d-%Y %H:%M:%S")

** props ** 

TRANSFORMS=myeval
TRANSFORMS=myeval2

** fields **

[actioned_time_normalized]
INDEXED = True

[processed_time_normalized]
INDEXED = True
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 04:47 AM 
TRANSFORMS-<class> = <transform_stanza_name>, <transform_stanza_name2>,...

props.conf

TRANSFORMS-myevals=myeval, myeval2

and The rest looks good, let's reboot and check new events. how?

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 05:06 AM

They should come up within the sourcetype as an indexed field.

Thanks @to4kawa !!!

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 05:14 AM

good job! Happy Splunking!
and thank you @willadams
You are finding the answer yourself.

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 06:01 AM

Thank you for the guidance @to4kawa

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎04-16-2020 12:27 AM

hi @willadams

add milliseconds to direct epoch

1 day = 86400
1 hour=3600

| eval epoch_time=strptime(processed_time, "%b %d %Y %H:%M:%S")+3600
Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-16-2020 12:38 AM

Of course that makes perfect sense. Its epoch which is seconds and I was viewing this as hours in my head. Thanks.

Regarding my second query I guess I will just add to props maybe transforms to do it for me..?

0 Karma
Reply
Get Updates on the Splunk Community!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...

Stay Connected: Your Guide to October Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...