Solved: Re: Convert splunk time format to epoc time.

AKG1_old1 · ‎04-07-2017

Hi,

Can we convert splunk specific time to epoc time ?

For example:
-4h@h

I am using a search query in which one token have value like this causing failure of that query.

Query :

working fine : eventtype=mlc | eval _time = 3423423423 + relative_time
Not working : eventtype=mlc | eval _time = -4h@h + relative_time

Thanks

somesoni2 · ‎04-07-2017

Try like this

eventtype=mlc | eval _time = if(len(replace("$yourtoken$","\d",""))=0,$yourtoken$,relative_time(now(),"$yourtoken$")) + relative_time

Basically checking if the token value is all numbers (not relative time modifier) then use the token value OR use the relative time modifier value instead.

View solution in original post

woodcock · ‎04-07-2017

You use the relative_time() function and the now() function.

somesoni2 · ‎04-07-2017

Try like this

eventtype=mlc | eval _time = if(len(replace("$yourtoken$","\d",""))=0,$yourtoken$,relative_time(now(),"$yourtoken$")) + relative_time

Basically checking if the token value is all numbers (not relative time modifier) then use the token value OR use the relative time modifier value instead.

AKG1_old1 · ‎04-12-2017

Thank you @somesoni2. it helped me to fix the problem.
the below one worked fine.
eventtype=mlc | eval start_time = if(len(replace("$time_token.earliest$","\d",""))=0,"$time_token.earliest$",0) | eval _time = start_time + relative_time

Convert splunk time format to epoc time.

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

Convert splunk time format to epoc time.

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...