Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add x hours to epoch time

willadams
Contributor
‎04-15-2020 11:48 PM

I have a log that contains multiple time fields

  • _time (ingest time)
  • Processed time (processed_time)
  • Actioned time (actioned_time)
  • Result time (result_time)

_time or ingest time is configured in props to adjust the timezone (due to no offset in the original log) I need for my timezone so its working fine. However the rest of the fields are just static fields. I went through doing the following for processed time (an example time stamp is Apr 10 2020 05:45:52)

So I wrote the following SPL to convert the static field "processed_time" to epoch

index=foo
| eval epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")
| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S"

What I would like to do is add time to this event. So if I wanted to add 2, 4, 9 hours to this field how would I do that?

I tried doing

| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %:::z +8)

and 

| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %Z)

but all this does is set the offset to +8 in this example or the timezone I am in with %Z. I need this time (processed_time) as well as actioned_time and result_time to show me in this example, 8 hours later.

What I also want to know is how do I then put this into something like props or transforms so I don't have to do this via SPL?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 01:19 AM

transforms.conf

INGEST_EVAL = <comma-separated list of evaluator expressions>

try INGEST_EVAL

reference:

| makeresults 
| eval accesstime="Apr 10 2020 05:45:52"
| eval access_epoch=round(strptime(accesstime." +0800","%b %d %Y %T %Z"))
| convert ctime(access_epoch) as check_access_epoch

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 01:19 AM

transforms.conf

INGEST_EVAL = <comma-separated list of evaluator expressions>

try INGEST_EVAL

reference:

| makeresults 
| eval accesstime="Apr 10 2020 05:45:52"
| eval access_epoch=round(strptime(accesstime." +0800","%b %d %Y %T %Z"))
| convert ctime(access_epoch) as check_access_epoch
0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-16-2020 10:12 PM

Still a bit lost here

So would I do this in transforms / props for example

transforms

[myeval]
ingest_eval = epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")+3600, eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S")

ingest_eval2 = epoch_time2(strptime(actioned_time, "%b %d %Y %H:%M:%S")+3600, eval actioned_time_normalized=strftime(epoch_time2, "%b-%d-%Y %H:%M:%S")

props

[mysourcetype]
TRANSFORMS=ingest_eval
TRANSFORMS=ingest_eval2
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 03:34 AM

check https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/IngestEval
and correct the mistake

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 04:05 AM

So

transforms

[myeval]
ingest_eval = epoch_time=(strptime(processed_time, "%b %d %Y %H:%M:%S")+3600, processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S")

[myeval2]

ingest_eval = epoch_time2=(strptime(actioned_time, "%b %d %Y %H:%M:%S")+3600, actioned_time_normalized=strftime(epoch_time2, "%b-%d-%Y %H:%M:%S")

** props ** 

TRANSFORMS=myeval
TRANSFORMS=myeval2

** fields **

[actioned_time_normalized]
INDEXED = True

[processed_time_normalized]
INDEXED = True
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 04:47 AM 
TRANSFORMS-<class> = <transform_stanza_name>, <transform_stanza_name2>,...

props.conf

TRANSFORMS-myevals=myeval, myeval2

and The rest looks good, let's reboot and check new events. how?

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 05:06 AM

They should come up within the sourcetype as an indexed field.

Thanks @to4kawa !!!

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 05:14 AM

good job! Happy Splunking!
and thank you @willadams
You are finding the answer yourself.

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 06:01 AM

Thank you for the guidance @to4kawa

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎04-16-2020 12:27 AM

hi @willadams

add milliseconds to direct epoch

1 day = 86400
1 hour=3600

| eval epoch_time=strptime(processed_time, "%b %d %Y %H:%M:%S")+3600
Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-16-2020 12:38 AM

Of course that makes perfect sense. Its epoch which is seconds and I was viewing this as hours in my head. Thanks.

Regarding my second query I guess I will just add to props maybe transforms to do it for me..?

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...