Solved: Conversion to UNIX time

zacksoft · ‎02-07-2018

I want to convert my default _time field to UNIX/Epoch time and have it in a different field. This is how the Time field looks now.

2/7/18

3:35:10.531 AM

493669 · ‎02-07-2018

_time is already in epoch format...
so try:

...|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")

but if time is in different field then try this run anywhere search:

| makeresults |eval time="2/7/18 3:35:10.531 AM"|eval Time=strptime(time,"%m/%d/%y %I:%M:%S.%3N %p")

View solution in original post

mayurr98 · ‎02-07-2018

hey @zacksoft

You can use strftime(X,Y) to convert in a specified time format in Y and strptime(X,Y) to convert the same in epoch time.
have a look at this doc
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/DateandTimeFunctions#strftime.28X....

For time format, you can have a look at this doc
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Try this run anywhere search for more:

| gentimes start=-1 end=20 
| eval Endtime=strftime(endtime,"%d/%m/%Y %H:%M:%S"),Starttime=strftime(starttime,"%d/%m/%Y %H:%M:%S"),Starthuman=strptime(starthuman,"%a %b %d %H:%M:%S %Y"),Endhuman=strptime(endhuman,"%a %b %d %H:%M:%S %Y") 
| table starttime Starttime endtime Endtime starthuman Starthuman endhuman Endhuman

let me know if this helps!

493669 · ‎02-07-2018

_time is already in epoch format...
so try:

...|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")

but if time is in different field then try this run anywhere search:

| makeresults |eval time="2/7/18 3:35:10.531 AM"|eval Time=strptime(time,"%m/%d/%y %I:%M:%S.%3N %p")

zacksoft · ‎02-07-2018

Can I perform math functions like add/subtract to the time field after using
|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") ?

example new_time = time +39s ??

493669 · ‎02-07-2018

you have to perform math before strftime function

493669 · ‎02-07-2018

so you have to convert min into sec. and then add. here 30m=30*60sec

new_time=_time+1800|eval new_time=strftime(new_time,"%Y-%m-%d %H:%M:%S")

FrankVl · ‎02-07-2018

That's just how _time automatically get's presented, under the hood, it is still a UNIX timestamp value. So you can simply do:
| eval mytime=_time

zacksoft · ‎02-07-2018

If it is internally represented at epoch time, then can math functions be applied to _time field directly ? i.e. new_time = _time + 30m ('new_time' is the time after 30 minutes) ..something like this ?

493669 · ‎02-07-2018

so you have to convert min into sec. and then add. here 30m=30*60sec

new_time=_time+1800|eval new_time=strftime(new_time,"%Y-%m-%d %H:%M:%S")

Conversion to UNIX time

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...