Splunk Search

Combine 2 TimeDate fields of different types into one

Riosrr
New Member

I have 3 different time date fields in my logs with 2 being redundant and the other being a different measure.
Time_A= %m-%d-%y 00:00:00 (yes, there is no hour, minute, second recorded)
Time_B= %m-%d-%y 00:00:00 (again, yes)
Time_C= Minutes after midnight

Is there a simple way to convert Time_C to anything similar to %T (understanding that seconds will be truncated) and then have a join of Time_A and Time_C?

"TimeDate = Time_A + Time_C" in a format Splunk could read as a usable format is the prefered outcome.

Tags (2)
0 Karma

Riosrr
New Member

First off, thank you all for taking the time to help out! I realize now that I could have been much more clear and informative with my question. I will attach a copy of a slightly edited version of my logs after going through the indexer:

2018-04-04 00:00:00.000, LoginHistory="11968096", Logon=" ", Action="1", Date="2018-04-04 00:00:00.0", Time="538", Terminal=" ", AudSID="508081017", User="18187", StationId="7797", Application="0", IsPINAttempt="0", AuditUser="18187", AuditStationId="7797"

Action = 1

Date = 2018-04-04 00:00:00.0

LoginHistory = 11968096

Logon =

Terminal =

Time = 538

host =

I am, likely obviously, new to Splunk. My overall objective is to have Splunk recognize event times as its own date time. I believe this variable is _time. It seems as though the suggested solution is to get my 'Time' field converted to seconds.

|makeresults count=3|eval duration='Time'*60|eval dateadded_epoch = strftime('Date',"%Y-%m-%d %H:%M:%S")|eval date_epoch = strptime('dateadded_epoch',"%Y-%m-%d %H:%M:%S") |eval date=date_epoch+duration | eval '_time' = strftime('date', "%Y-%m-%d %H:%M:%S")

This is what i think it should look like based on the suggestions but i have no idea how to apply that to the current index or if i am even using the right syntax.

0 Karma

cmerriman
Super Champion

try adding something like this:

|eval new_time=substr(Time_A,1,10)." ".tostring(Time_C*60,"duration")

it should grab the first 10 characters of your date in Time_A and calculate the duration for Time_C by converting the minutes to seconds and putting it into a duration format.

0 Karma

splunker12er
Motivator

try somethign like this, if you want to see results in search time,

makeresults |eval time_A="04-31-2018 00:00:00"|eval time_C="12:01:50"|rex mode=sed field=time_A "s/00:00:00//g"|eval time_A=toString(time_1).toString(time_C)|table time_A
0 Karma

deepashri_123
Motivator

Hey@Riossr,

You can try this run anywhere command:
| makeresults count=3 |eval duration=60| eval dateadded_epoch = strftime('_time',"%Y-%m-%d %H:%M:%S")|eval date_epoch = strptime('dateadded_epoch',"%Y-%m-%d %H:%M:%S") |eval date=date_epoch+duration | eval date1 = strftime('date', "%Y-%m-%d %H:%M:%S")

You need to convert your Time_A to epoch and then add Time_C and then again convert to date.
That will help you use it in readable format

Let me know if this helps!!

0 Karma
Get Updates on the Splunk Community!

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...

Platform Highlights | January 2023 Newsletter

 January 2023Peace on Earth and Peace of Mind With Business ResilienceAll organizations can start the new year ...