Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Add x hours to epoch time

willadams
Contributor
‎04-15-2020 11:48 PM

I have a log that contains multiple time fields

  • _time (ingest time)
  • Processed time (processed_time)
  • Actioned time (actioned_time)
  • Result time (result_time)

_time or ingest time is configured in props to adjust the timezone (due to no offset in the original log) I need for my timezone so its working fine. However the rest of the fields are just static fields. I went through doing the following for processed time (an example time stamp is Apr 10 2020 05:45:52)

So I wrote the following SPL to convert the static field "processed_time" to epoch

index=foo
| eval epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")
| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S"

What I would like to do is add time to this event. So if I wanted to add 2, 4, 9 hours to this field how would I do that?

I tried doing

| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %:::z +8)

and 

| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %Z)

but all this does is set the offset to +8 in this example or the timezone I am in with %Z. I need this time (processed_time) as well as actioned_time and result_time to show me in this example, 8 hours later.

What I also want to know is how do I then put this into something like props or transforms so I don't have to do this via SPL?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 01:19 AM

transforms.conf

INGEST_EVAL = <comma-separated list of evaluator expressions>

try INGEST_EVAL

reference:

| makeresults 
| eval accesstime="Apr 10 2020 05:45:52"
| eval access_epoch=round(strptime(accesstime." +0800","%b %d %Y %T %Z"))
| convert ctime(access_epoch) as check_access_epoch

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 01:19 AM

transforms.conf

INGEST_EVAL = <comma-separated list of evaluator expressions>

try INGEST_EVAL

reference:

| makeresults 
| eval accesstime="Apr 10 2020 05:45:52"
| eval access_epoch=round(strptime(accesstime." +0800","%b %d %Y %T %Z"))
| convert ctime(access_epoch) as check_access_epoch
0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-16-2020 10:12 PM

Still a bit lost here

So would I do this in transforms / props for example

transforms

[myeval]
ingest_eval = epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")+3600, eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S")

ingest_eval2 = epoch_time2(strptime(actioned_time, "%b %d %Y %H:%M:%S")+3600, eval actioned_time_normalized=strftime(epoch_time2, "%b-%d-%Y %H:%M:%S")

props

[mysourcetype]
TRANSFORMS=ingest_eval
TRANSFORMS=ingest_eval2
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 03:34 AM

check https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/IngestEval
and correct the mistake

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 04:05 AM

So

transforms

[myeval]
ingest_eval = epoch_time=(strptime(processed_time, "%b %d %Y %H:%M:%S")+3600, processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S")

[myeval2]

ingest_eval = epoch_time2=(strptime(actioned_time, "%b %d %Y %H:%M:%S")+3600, actioned_time_normalized=strftime(epoch_time2, "%b-%d-%Y %H:%M:%S")

** props ** 

TRANSFORMS=myeval
TRANSFORMS=myeval2

** fields **

[actioned_time_normalized]
INDEXED = True

[processed_time_normalized]
INDEXED = True
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 04:47 AM 
TRANSFORMS-<class> = <transform_stanza_name>, <transform_stanza_name2>,...

props.conf

TRANSFORMS-myevals=myeval, myeval2

and The rest looks good, let's reboot and check new events. how?

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 05:06 AM

They should come up within the sourcetype as an indexed field.

Thanks @to4kawa !!!

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 05:14 AM

good job! Happy Splunking!
and thank you @willadams
You are finding the answer yourself.

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 06:01 AM

Thank you for the guidance @to4kawa

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎04-16-2020 12:27 AM

hi @willadams

add milliseconds to direct epoch

1 day = 86400
1 hour=3600

| eval epoch_time=strptime(processed_time, "%b %d %Y %H:%M:%S")+3600
Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-16-2020 12:38 AM

Of course that makes perfect sense. Its epoch which is seconds and I was viewing this as hours in my head. Thanks.

Regarding my second query I guess I will just add to props maybe transforms to do it for me..?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...