Solved: Have problem with my timestamp format

jcvytla · ‎04-04-2018

I'm trying to do forecasting on hourly data. I'm getting error , even though I change my time format. need help in converting "3/5/2018 0:49" into unix time stamp.

adonio · ‎04-04-2018

try this:

| makeresults count=1 | eval time = "3/5/2018 0:49"
| eval in_epoch = strptime(time, "%m/%d/%Y %H:%M")

hope it helps

View solution in original post

lsnow_splunk · ‎04-04-2018

Hi, @jcvytla-

Check out the "convert" command. The syntax for your case would look something like

convert timeformat=%m/%d/%Y %H:%M mktime(existing_time_field) AS epoch_time

but double check the time format if it doesn't seem to be working for you - the lack of leading zeroes in your timestamp might mean that you have to tweak that.

adonio · ‎04-04-2018

try this:

| makeresults count=1 | eval time = "3/5/2018 0:49"
| eval in_epoch = strptime(time, "%m/%d/%Y %H:%M")

hope it helps

jcvytla · ‎04-04-2018

Could you please help me with time chart for the same time format?

Thanks in advance

adonio · ‎04-04-2018

for timechart youll need to convert your time to the field _time
same thing, and now you can | timechart ... as foo | predict foo

Have problem with my timestamp format

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation