Re: Can you help me with an issue i'm having with ...

Divyachundu · ‎10-23-2018

I am trying to implement strptime command on my lookup named test.csv, which has fields _time, hits with data from Aug-12 to Oct-21.

I created a scheduled job to update my lookup dynamically everyday at 3:00 AM with yesterday's data. So, on Oct-23rd, my lookup got updated with Oct-22 data.

The issue is, while running the below command, I am getting blank values for _time field, where as hits field is coming fine.

|inputlookup test.csv|eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S")

Divyachundu · ‎10-25-2018

Thank you all your replied. I figured out what is causing the issue.

The time format in the initial lookup is "%Y-%m-%dT%H:%M:%S". When my job is appending the lookup, the time stamp is being saved in epoch which is causing issue when I am using strptime command.

kamal_jagga · ‎10-23-2018

Try naming the new field differently from _time to Date.

|inputlookup test.csv
|eval Date=strptime(_time, "%Y-%m-%dT%H:%M:%S").

Divyachundu · ‎10-25-2018

I did try this before . Didn't help. Thanks for sharing your thoughts.

cmerriman · ‎10-23-2018

can you provide sample data of your csv file before you do any evals to it. scrubbed of any pii/phi info, of course.

Can you help me with an issue i'm having with the strptime function?

New in Observability Cloud - Explicit Bucket Histograms

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...