Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Add x hours to epoch time

willadams
Contributor
‎04-15-2020 11:48 PM

I have a log that contains multiple time fields

  • _time (ingest time)
  • Processed time (processed_time)
  • Actioned time (actioned_time)
  • Result time (result_time)

_time or ingest time is configured in props to adjust the timezone (due to no offset in the original log) I need for my timezone so its working fine. However the rest of the fields are just static fields. I went through doing the following for processed time (an example time stamp is Apr 10 2020 05:45:52)

So I wrote the following SPL to convert the static field "processed_time" to epoch

index=foo
| eval epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")
| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S"

What I would like to do is add time to this event. So if I wanted to add 2, 4, 9 hours to this field how would I do that?

I tried doing

| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %:::z +8)

and 

| eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S" %Z)

but all this does is set the offset to +8 in this example or the timezone I am in with %Z. I need this time (processed_time) as well as actioned_time and result_time to show me in this example, 8 hours later.

What I also want to know is how do I then put this into something like props or transforms so I don't have to do this via SPL?

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 01:19 AM

transforms.conf

INGEST_EVAL = <comma-separated list of evaluator expressions>

try INGEST_EVAL

reference:

| makeresults 
| eval accesstime="Apr 10 2020 05:45:52"
| eval access_epoch=round(strptime(accesstime." +0800","%b %d %Y %T %Z"))
| convert ctime(access_epoch) as check_access_epoch

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎04-16-2020 01:19 AM

transforms.conf

INGEST_EVAL = <comma-separated list of evaluator expressions>

try INGEST_EVAL

reference:

| makeresults 
| eval accesstime="Apr 10 2020 05:45:52"
| eval access_epoch=round(strptime(accesstime." +0800","%b %d %Y %T %Z"))
| convert ctime(access_epoch) as check_access_epoch
0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-16-2020 10:12 PM

Still a bit lost here

So would I do this in transforms / props for example

transforms

[myeval]
ingest_eval = epoch_time(strptime(processed_time, "%b %d %Y %H:%M:%S")+3600, eval processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S")

ingest_eval2 = epoch_time2(strptime(actioned_time, "%b %d %Y %H:%M:%S")+3600, eval actioned_time_normalized=strftime(epoch_time2, "%b-%d-%Y %H:%M:%S")

props

[mysourcetype]
TRANSFORMS=ingest_eval
TRANSFORMS=ingest_eval2
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 03:34 AM

check https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/IngestEval
and correct the mistake

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 04:05 AM

So

transforms

[myeval]
ingest_eval = epoch_time=(strptime(processed_time, "%b %d %Y %H:%M:%S")+3600, processed_time_normalized=strftime(epoch_time, "%b-%d-%Y %H:%M:%S")

[myeval2]

ingest_eval = epoch_time2=(strptime(actioned_time, "%b %d %Y %H:%M:%S")+3600, actioned_time_normalized=strftime(epoch_time2, "%b-%d-%Y %H:%M:%S")

** props ** 

TRANSFORMS=myeval
TRANSFORMS=myeval2

** fields **

[actioned_time_normalized]
INDEXED = True

[processed_time_normalized]
INDEXED = True
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 04:47 AM 
TRANSFORMS-<class> = <transform_stanza_name>, <transform_stanza_name2>,...

props.conf

TRANSFORMS-myevals=myeval, myeval2

and The rest looks good, let's reboot and check new events. how?

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 05:06 AM

They should come up within the sourcetype as an indexed field.

Thanks @to4kawa !!!

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎04-17-2020 05:14 AM

good job! Happy Splunking!
and thank you @willadams
You are finding the answer yourself.

0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-17-2020 06:01 AM

Thank you for the guidance @to4kawa

0 Karma
Reply
Solved! Jump to solution

harishalipaka
Motivator
‎04-16-2020 12:27 AM

hi @willadams

add milliseconds to direct epoch

1 day = 86400
1 hour=3600

| eval epoch_time=strptime(processed_time, "%b %d %Y %H:%M:%S")+3600
Thanks
Harish
0 Karma
Reply
Solved! Jump to solution

willadams
Contributor
‎04-16-2020 12:38 AM

Of course that makes perfect sense. Its epoch which is seconds and I was viewing this as hours in my head. Thanks.

Regarding my second query I guess I will just add to props maybe transforms to do it for me..?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...