Splunk Search

Convert string format to time

New Member

One log line from LDAP log file

= ==================================

Sep 19 10:08:10 simxxx11 slapd_simxxx11[4274]: conn=3012 fd=52 ACCEPT from IP= (IP=

I can capture the STARTTIME of the LDAP connection with a regular expression, but this gives me back a string. When I capture the STARTTIME using rex "(?P<STARTTIME>\w+\s+\d+\s+\d+:\d+:\d+).+conn=\d+ fd=\d+ ACCEPT.+" then I have the value Sep 19 10:08:12 in variable STARTTIME. I want to convert it to a time format.

I have tried


But this does not work.
Another log line from LDAP log file


Sep 19 10:08:12 simxxx11 slapd_simxxx[4274]: conn=3012 fd=52 closed
"(?P<ENDTIME>\w+\s+\d+\s+\d+:\d+:\d+).+ conn=\d+ fd=\d+ closed"

I need to find the difference between the STARTTIME and ENDTIME.

Tags (4)
0 Karma

Ultra Champion

If the timestamps you want to use for your calculations are in fact the timestamps that have been used when indexing the events, that information is available in the _time field as an epoch value (which are great for mathematical operations).

There are several ways in which you can achieve this;

With a transaction, assuming that conn is a unique id for this connection (or at least unique within an hour or so). transaction automatically creates a new field called duration

your_base_search | transaction conn maxevents=2 maxspan=1m startswith="ACCEPT" endswith="closed" | table conn duration

With stats. Assumptions as before.

your_base_search | stats min(_time) AS StartTime max(_time) AS EndTime by conn | eval dur = tostring((EndTime - StartTime), "duration")

You could also look at the convert command instead of the eval/tostring.

Some interesting reading:


Hope this helps,


Ultra Champion

Sorry, but I don't know the structure of your transactions. LDAP is not my strongest side. Is it something like;


Or is it more like;


You should probably post a few more sample events, highlighting which timstamps you need to compute durations for.


0 Karma

New Member

Thank you Kristian. Actually for a transaction based on conn, I can calculate the duration. But I want to calculate the individual BIND delays and SEARCH delays inside the transaction.Each operation inside a transaction has a unique op value. How can I use it to get to the individual delays.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!