Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Convert Timestamp from one format to UNIX style format

dowdag
Engager
‎06-10-2019 03:20 PM

I have a log file that has the timestamp for each line as:

Jun 10, 11:07:59.305475

Note that the year is missing - it is inferred from file name... or something...
I am good with deriving year from now()

I would like to convert it to:

2019-6-10 11:07:59.305475

Might there be a way to accomplish this when creating a field extraction?

I have had no luck with startime

Thanks for any clues!

0 Karma
Reply

harshpatel
Contributor
‎06-11-2019 09:58 PM

Hi @dowdag,

You are defining wrong format for DateTimeStr when converting it into epoch time. Please try this:

| eval uxTimeStamp=strftime(strptime(DateTimeStr, "%Y-%m-%d %H:%M:%S.%6N"), "%Y-%m-%d %H:%M:%S:%3N")

See how your DateTimeStr value is 2019-06-06 11:10:04.307625 and as per your format in strptime i.e. %Y-%m-%d %H:%M:%S:%3N means you are expecting DateTimeStr to be 2019-06-06 11:10:04:307 which will result in uxTimeStamp being NULL value.

Cheers,
Harsh

0 Karma
Reply

dowdag
Engager
‎06-11-2019 11:56 AM

Extracted "date time string" data from log: Jun 06, 11:10:04.307625

I added a lookup table

MonthAbrv, MonthNumber
Jan,01 
Feb,02
Mar,03
etc....

| rex field=TimeStamp "(?<Month>\w+)"
| lookup MonthStrToNum MonthAbrv as Month OUTPUT MonthNumber
| rex field=TimeStamp "\w+\s(?<day>\d+)"
| eval year=strftime(now(), "%Y") 
| rex field=TimeStamp "^.+,\s(?<Time>[\d:.]+)"
| eval DateTimeStr= (year . "-". MonthNumber . "-" . day ." " . Time)

DateTimeStr: 2019-06-06 11:10:04.307625

| eval uxTimeStamp=strftime(strptime(DateTimeStr, "%Y-%m-%d %H:%M:%S:%3N"), "%Y-%m-%d %H:%M:%S:%3N")

However uxTimeStamp is NULL -- what might I have missed?

Thanks for any help

0 Karma
Reply

harshpatel
Contributor
‎06-11-2019 09:59 PM

@dowdag
Please try this:
https://answers.splunk.com/answers/751096/convert-timestamp-from-one-format-to-unix-style-fo.html?ch...

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-10-2019 11:40 PM

Hi dowdag,
You have to convert two times your timestamp, try something like this:

| eval time_field=strftime(strptime(_time,"%B %d, %H:%M:%S.%6N"),"%Y-%m-%d %H:%M:%S.%6N")

Bye.
Giuseppe

0 Karma
Reply

harshpatel
Contributor
‎06-11-2019 05:11 AM

Hi @dowdag, Are you trying to achieve this using props.conf or you want to do this using a Splunk search?
What I can tell is you are already extracting timestamp using props.conf and you want to add a year to it?

0 Karma
Reply

alonsocaio
Contributor
‎06-10-2019 06:56 PM

You can try using this command to format _time:

| eval time_field=strftime(_time,"%Y-%m-%d %H:%M:%S.%6N")
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top