- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I wonder whether someone may be able to help me please.
I'm trying to change the "apiStartTime" which is in the following format 'Sat Mar 5 00:00:00 2016' including the apostrophes to an epoch time so I can perform some date calculations.
So I've been looking at the Splunk documentation here and I thought I'd understood the variables I need to use and then convert and I put together the following:
|eval startTime=strptime(apiStartTime, "%a %m %d %H:%M:%S %Y")|convert timeformat="%d/%b/%Y" ctime(startTime)
Unfortunately though this isn't working, and I'm not sure why.
I just wondered whether someone could possibly look at this please and let me know where I've gone wrong.
Many thanks and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00ea7/00ea728ddd59db76fcdafc5039051fc288625212" alt="richgalloway richgalloway"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
The first half of your SPL correctly converts an apiStartTime string into epoch form. The second half converts the epoch back into a string, which may not be necessary, depending on why you need an epoch.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/56622/566229e80a5e256d542867dcd41e5aab5866020d" alt="nvanderwalt_spl nvanderwalt_spl"
data:image/s3,"s3://crabby-images/1f594/1f594b1b4c0941863df1722dd52dd06a5b9a2e11" alt="Splunk Employee Splunk Employee"
This is reviving a very old thread, but I will still post this in case someone else needs it. Try:
|eval startTime=strptime('apiStartTime', "'%a %b %e %H:%M:%S %Y'")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00ea7/00ea728ddd59db76fcdafc5039051fc288625212" alt="richgalloway richgalloway"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
The first half of your SPL correctly converts an apiStartTime string into epoch form. The second half converts the epoch back into a string, which may not be necessary, depending on why you need an epoch.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for coming back to me with this and for the clarification on my query.
The problem is, is that in isolation this line
|eval startTime=strptime(apiStartTime, "%a %m %d %H:%M:%S %Y")
isn't converting the api time to epoch.
Kind Regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00ea7/00ea728ddd59db76fcdafc5039051fc288625212" alt="richgalloway richgalloway"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
If apiStartTime truly includes apostrophes, then the format string should be "'%a %m %d %H:%M:%S %Y'"
.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you for this. I just had to make a minor change to "'%a %m %b %H:%M:%S %Y'", which now works great.
In my initial testing I had incorporated a ' but with a % beforehand, because in the documentation it suggested to use something as a literal character add a % beforehand. I obviously misinterpreted this.
Once again thank you for your help and kind regards
Chris
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
data:image/s3,"s3://crabby-images/00ea7/00ea728ddd59db76fcdafc5039051fc288625212" alt="richgalloway richgalloway"
data:image/s3,"s3://crabby-images/f2c43/f2c43ff9fe30701b4ec7d60d5201063534e5c1eb" alt="SplunkTrust SplunkTrust"
In strptime
and strftime
format strings, all characters are literal except those preceded by '%'. Use "%%" to get a literal '%'.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahh I see.
That's a lot clearer now. Thank you.
data:image/s3,"s3://crabby-images/2f34b/2f34b8387157c32fbd6848ab5b6e4c62160b6f87" alt=""