Splunk Search

Conversion to UNIX time

zacksoft
Contributor

I want to convert my default _time field to UNIX/Epoch time and have it in a different field. This is how the Time field looks now.

2/7/18

3:35:10.531 AM

Tags (1)
0 Karma
1 Solution

493669
Super Champion

_time is already in epoch format...
so try:

...|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")

but if time is in different field then try this run anywhere search:

| makeresults |eval time="2/7/18 3:35:10.531 AM"|eval Time=strptime(time,"%m/%d/%y %I:%M:%S.%3N %p")

View solution in original post

0 Karma

mayurr98
Super Champion

hey @zacksoft

You can use strftime(X,Y) to convert in a specified time format in Y and strptime(X,Y) to convert the same in epoch time.
have a look at this doc
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/DateandTimeFunctions#strftime.28X....

For time format, you can have a look at this doc
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Try this run anywhere search for more:

| gentimes start=-1 end=20 
| eval Endtime=strftime(endtime,"%d/%m/%Y %H:%M:%S"),Starttime=strftime(starttime,"%d/%m/%Y %H:%M:%S"),Starthuman=strptime(starthuman,"%a %b %d %H:%M:%S %Y"),Endhuman=strptime(endhuman,"%a %b %d %H:%M:%S %Y") 
| table starttime Starttime endtime Endtime starthuman Starthuman endhuman Endhuman

let me know if this helps!

0 Karma

493669
Super Champion

_time is already in epoch format...
so try:

...|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")

but if time is in different field then try this run anywhere search:

| makeresults |eval time="2/7/18 3:35:10.531 AM"|eval Time=strptime(time,"%m/%d/%y %I:%M:%S.%3N %p")
0 Karma

zacksoft
Contributor

Can I perform math functions like add/subtract to the time field after using
|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") ?

example new_time = time +39s ??

0 Karma

493669
Super Champion

you have to perform math before strftime function

0 Karma

493669
Super Champion

so you have to convert min into sec. and then add. here 30m=30*60sec

new_time=_time+1800|eval new_time=strftime(new_time,"%Y-%m-%d %H:%M:%S")
0 Karma

FrankVl
Ultra Champion

That's just how _time automatically get's presented, under the hood, it is still a UNIX timestamp value. So you can simply do:
| eval mytime=_time

zacksoft
Contributor

If it is internally represented at epoch time, then can math functions be applied to _time field directly ? i.e. new_time = _time + 30m ('new_time' is the time after 30 minutes) ..something like this ?

0 Karma

493669
Super Champion

so you have to convert min into sec. and then add. here 30m=30*60sec

new_time=_time+1800|eval new_time=strftime(new_time,"%Y-%m-%d %H:%M:%S")
0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...