Splunk Search

Convert data from "%Y-%m" to epoch and again to "%Y-%m"

Accak
Path Finder

Hi guys, I am begginer which some problems with converting.
I tried to parse date in format %Y-%m like 2017-01 to epoch, but this:

eval next_month = strptime(chose_month, "%Y-%m")

does not work.

I did some workaround, can anybody tell how I can improve this?

|  eval next_month=chosen_month+"-01"  
 | eval next_month=strptime(next_month,"%Y-%m-%d") | eval next_month = strftime(relative_time(next_month , "+1mon"), "%Y-%m")|

Thanks in advance!

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Apparently, strptime does not operate as expected for that format. Concatenate "-01" on the end and use the method in mydate2C below.

| makeresults  
| eval mytime=_time
| eval mydate1 = strftime(_time,"%Y") 
| eval mydate1B = strptime(mydate3,"%Y")
| eval mydate2=strftime(_time,"%Y-%m")
| eval mydate2B=strptime(mydate2,"%Y-%m") 
| eval mydate2C=strptime(mydate2."-01","%Y-%m-%d")
| eval mydate3=strftime(_time,"%Y-%m-%d") 
| eval mydate3B=strptime(mydate3,"%Y-%m-%d") 
| table _time mytime mydate1 mydate1B mydate2 mydate2B mydate2C mydate3 mydate3B

in your case, that would look like -

| eval this_month_epoch = strptime(chose_month."-01", "%Y-%m-%d")
| eval next_month_epoch = relative_time(this_month_epoch, "+1mon@m")

and if you want to display the results -

| eval this_month_display = strftime(this_month_epoch,"%Y-%m-%d")
| eval next_month_display = strftime(next_month_epoch,"%Y-%m-%d")

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

When converting string date to epoch, day and month part is mandatory, year part is optional (default to same year).
When converting string time to epoch, hour and minute part is mandatory, date part is optional (default to today).

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

True, but odd. The expected epoch output for a date/time specified at the month level would be the first moment of that month. There's no ambiguity in that as the default. The Open Spec is silent on the matter, as far as I can tell.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I would agree. If you can default the hour to 0 if no hour is specified (when giving month and day) to default to start of the day, why not do the same with month, or year for that matter.

DalJeanis
SplunkTrust
SplunkTrust

Apparently, strptime does not operate as expected for that format. Concatenate "-01" on the end and use the method in mydate2C below.

| makeresults  
| eval mytime=_time
| eval mydate1 = strftime(_time,"%Y") 
| eval mydate1B = strptime(mydate3,"%Y")
| eval mydate2=strftime(_time,"%Y-%m")
| eval mydate2B=strptime(mydate2,"%Y-%m") 
| eval mydate2C=strptime(mydate2."-01","%Y-%m-%d")
| eval mydate3=strftime(_time,"%Y-%m-%d") 
| eval mydate3B=strptime(mydate3,"%Y-%m-%d") 
| table _time mytime mydate1 mydate1B mydate2 mydate2B mydate2C mydate3 mydate3B

in your case, that would look like -

| eval this_month_epoch = strptime(chose_month."-01", "%Y-%m-%d")
| eval next_month_epoch = relative_time(this_month_epoch, "+1mon@m")

and if you want to display the results -

| eval this_month_display = strftime(this_month_epoch,"%Y-%m-%d")
| eval next_month_display = strftime(next_month_epoch,"%Y-%m-%d")
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...