Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Convert data from "%Y-%m" to epoch and again to "%Y-%m"

Accak
Path Finder
‎02-10-2017 03:15 AM

Hi guys, I am begginer which some problems with converting.
I tried to parse date in format %Y-%m like 2017-01 to epoch, but this:

eval next_month = strptime(chose_month, "%Y-%m")

does not work.

I did some workaround, can anybody tell how I can improve this?

|  eval next_month=chosen_month+"-01"  
 | eval next_month=strptime(next_month,"%Y-%m-%d") | eval next_month = strftime(relative_time(next_month , "+1mon"), "%Y-%m")|

Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-10-2017 11:02 AM

Apparently, strptime does not operate as expected for that format. Concatenate "-01" on the end and use the method in mydate2C below.

| makeresults  
| eval mytime=_time
| eval mydate1 = strftime(_time,"%Y") 
| eval mydate1B = strptime(mydate3,"%Y")
| eval mydate2=strftime(_time,"%Y-%m")
| eval mydate2B=strptime(mydate2,"%Y-%m") 
| eval mydate2C=strptime(mydate2."-01","%Y-%m-%d")
| eval mydate3=strftime(_time,"%Y-%m-%d") 
| eval mydate3B=strptime(mydate3,"%Y-%m-%d") 
| table _time mytime mydate1 mydate1B mydate2 mydate2B mydate2C mydate3 mydate3B

in your case, that would look like - 

| eval this_month_epoch = strptime(chose_month."-01", "%Y-%m-%d")
| eval next_month_epoch = relative_time(this_month_epoch, "+1mon@m")

and if you want to display the results -

| eval this_month_display = strftime(this_month_epoch,"%Y-%m-%d")
| eval next_month_display = strftime(next_month_epoch,"%Y-%m-%d")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-10-2017 11:18 AM

When converting string date to epoch, day and month part is mandatory, year part is optional (default to same year).
When converting string time to epoch, hour and minute part is mandatory, date part is optional (default to today).

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎02-10-2017 11:25 AM

True, but odd. The expected epoch output for a date/time specified at the month level would be the first moment of that month. There's no ambiguity in that as the default. The Open Spec is silent on the matter, as far as I can tell.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎02-10-2017 11:29 AM

I would agree. If you can default the hour to 0 if no hour is specified (when giving month and day) to default to start of the day, why not do the same with month, or year for that matter.

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎02-10-2017 11:02 AM

Apparently, strptime does not operate as expected for that format. Concatenate "-01" on the end and use the method in mydate2C below.

| makeresults  
| eval mytime=_time
| eval mydate1 = strftime(_time,"%Y") 
| eval mydate1B = strptime(mydate3,"%Y")
| eval mydate2=strftime(_time,"%Y-%m")
| eval mydate2B=strptime(mydate2,"%Y-%m") 
| eval mydate2C=strptime(mydate2."-01","%Y-%m-%d")
| eval mydate3=strftime(_time,"%Y-%m-%d") 
| eval mydate3B=strptime(mydate3,"%Y-%m-%d") 
| table _time mytime mydate1 mydate1B mydate2 mydate2B mydate2C mydate3 mydate3B

in your case, that would look like - 

| eval this_month_epoch = strptime(chose_month."-01", "%Y-%m-%d")
| eval next_month_epoch = relative_time(this_month_epoch, "+1mon@m")

and if you want to display the results -

| eval this_month_display = strftime(this_month_epoch,"%Y-%m-%d")
| eval next_month_display = strftime(next_month_epoch,"%Y-%m-%d")
0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...