Solved: Re: Can splunk convert a date to epoch time if the...

LWilliamson1 · ‎12-02-2015

When running the search:

| eval startTime="1970-01-01"| eval dateadded_epoch = strptime(startTime, "%Y-%m-%d")| table Jobname dateadded_epoch

I get no results, but if the year is changed to 1971 I get the expected output.

Richfez · ‎12-02-2015

I think you may have found a bug. I can reproduce proper results with any date in 1971 or newer, but none in 1970.

Jan 01, 1971 is 31557600 as you noticed, so you'd think that Dec 31st 1970 would be 31557600-86400, an answer which escapes my ability to run a calculator app right now, but which is decidedly greater than 0.

View solution in original post

Richfez · ‎12-02-2015

I think you may have found a bug. I can reproduce proper results with any date in 1971 or newer, but none in 1970.

Jan 01, 1971 is 31557600 as you noticed, so you'd think that Dec 31st 1970 would be 31557600-86400, an answer which escapes my ability to run a calculator app right now, but which is decidedly greater than 0.

Richfez · ‎12-02-2015

Even better:

index=* | eval startTime=31557600 
| eval a_dateadded_realdate = strftime(startTime, "%Y-%m-%d %H:%M:%S") 
| eval a_dateadded_epoch = strptime(a_dateadded_realdate, "%Y-%m-%d %H:%M:%S") 
| table startTime a_dateadded_epoch a_dateadded_realdate

If you run that, you'll get valid dates in both columns.

If you subtract one and use 31557599, the strftime works but the strptime won't convert it back.

bosburn_splunk · ‎12-03-2015

This is known, and not something that will be fixed.

Brian

Can splunk convert a date to epoch time if the year is 1970

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor