- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Convert Timestamp from one format to UNIX styl...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Convert Timestamp from one format to UNIX style format
I have a log file that has the timestamp for each line as:
Jun 10, 11:07:59.305475
Note that the year is missing - it is inferred from file name... or something...
I am good with deriving year from now()
I would like to convert it to:
2019-6-10 11:07:59.305475
Might there be a way to accomplish this when creating a field extraction?
I have had no luck with startime
Thanks for any clues!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dowdag,
You are defining wrong format for DateTimeStr when converting it into epoch time. Please try this:
| eval uxTimeStamp=strftime(strptime(DateTimeStr, "%Y-%m-%d %H:%M:%S.%6N"), "%Y-%m-%d %H:%M:%S:%3N")
See how your DateTimeStr value is 2019-06-06 11:10:04.307625 and as per your format in strptime i.e. %Y-%m-%d %H:%M:%S:%3N means you are expecting DateTimeStr to be 2019-06-06 11:10:04:307 which will result in uxTimeStamp being NULL value.
Cheers,
Harsh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extracted "date time string" data from log: Jun 06, 11:10:04.307625
I added a lookup table
MonthAbrv, MonthNumber
Jan,01
Feb,02
Mar,03
etc....
| rex field=TimeStamp "(?<Month>\w+)"
| lookup MonthStrToNum MonthAbrv as Month OUTPUT MonthNumber
| rex field=TimeStamp "\w+\s(?<day>\d+)"
| eval year=strftime(now(), "%Y")
| rex field=TimeStamp "^.+,\s(?<Time>[\d:.]+)"
| eval DateTimeStr= (year . "-". MonthNumber . "-" . day ." " . Time)
DateTimeStr: 2019-06-06 11:10:04.307625
| eval uxTimeStamp=strftime(strptime(DateTimeStr, "%Y-%m-%d %H:%M:%S:%3N"), "%Y-%m-%d %H:%M:%S:%3N")
However uxTimeStamp is NULL -- what might I have missed?
Thanks for any help
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dowdag,
You have to convert two times your timestamp, try something like this:
| eval time_field=strftime(strptime(_time,"%B %d, %H:%M:%S.%6N"),"%Y-%m-%d %H:%M:%S.%6N")
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dowdag, Are you trying to achieve this using props.conf or you want to do this using a Splunk search?
What I can tell is you are already extracting timestamp using props.conf and you want to add a year to it?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can try using this command to format _time:
| eval time_field=strftime(_time,"%Y-%m-%d %H:%M:%S.%6N")
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
