Splunk Search

Convert Format of apiStartTime to Epoch

IRHM73
Motivator

Hi, I wonder whether someone may be able to help me please.

I'm trying to change the "apiStartTime" which is in the following format 'Sat Mar 5 00:00:00 2016' including the apostrophes to an epoch time so I can perform some date calculations.

So I've been looking at the Splunk documentation here and I thought I'd understood the variables I need to use and then convert and I put together the following:

|eval startTime=strptime(apiStartTime, "%a %m %d %H:%M:%S %Y")|convert timeformat="%d/%b/%Y" ctime(startTime)

Unfortunately though this isn't working, and I'm not sure why.

I just wondered whether someone could possibly look at this please and let me know where I've gone wrong.

Many thanks and kind regards

Chris

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The first half of your SPL correctly converts an apiStartTime string into epoch form. The second half converts the epoch back into a string, which may not be necessary, depending on why you need an epoch.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

nvanderwalt_spl
Splunk Employee
Splunk Employee

This is reviving a very old thread, but I will still post this in case someone else needs it. Try:

|eval startTime=strptime('apiStartTime', "'%a %b %e %H:%M:%S %Y'")
0 Karma

richgalloway
SplunkTrust
SplunkTrust

The first half of your SPL correctly converts an apiStartTime string into epoch form. The second half converts the epoch back into a string, which may not be necessary, depending on why you need an epoch.

---
If this reply helps you, Karma would be appreciated.

IRHM73
Motivator

Hi, thank you for coming back to me with this and for the clarification on my query.

The problem is, is that in isolation this line

|eval startTime=strptime(apiStartTime, "%a %m %d %H:%M:%S %Y") isn't converting the api time to epoch.

Kind Regards

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If apiStartTime truly includes apostrophes, then the format string should be "'%a %m %d %H:%M:%S %Y'".

---
If this reply helps you, Karma would be appreciated.
0 Karma

IRHM73
Motivator

Hi, thank you for this. I just had to make a minor change to "'%a %m %b %H:%M:%S %Y'", which now works great.

In my initial testing I had incorporated a ' but with a % beforehand, because in the documentation it suggested to use something as a literal character add a % beforehand. I obviously misinterpreted this.

Once again thank you for your help and kind regards

Chris

0 Karma

richgalloway
SplunkTrust
SplunkTrust

In strptime and strftime format strings, all characters are literal except those preceded by '%'. Use "%%" to get a literal '%'.

---
If this reply helps you, Karma would be appreciated.
0 Karma

IRHM73
Motivator

Ahh I see.

That's a lot clearer now. Thank you.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...