Re: Convert string to date

shayhk · ‎12-24-2013

Hi, I am tring to convert string data to date and find diff second
the problem is that i cant convert the string to date

...
|table Key DateTime1 DateTime2

Datetime1&2 formats are [2013-12-17 09:38:57.7667] and they are strings

i want to find the diff seconds between them

Lowell · ‎12-26-2013

<your search>
  | rex " (?<dt1>[0-9-]+ [0-9:.]+) (?<dt2>[0-9-]+ [0-9:.]+)"
  | eval dt1=strptime(dt1,"%Y-%m-%d %H:%M:%S.%3Q")
  | eval dt2=strptime(dt2,"%Y-%m-%d %H:%M:%S.%3Q")
  | eval diff=dt2-dt1

matthewcanty · ‎01-08-2014

More info:
Eval Functions
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/CommonEvalFunctions
Time Formats
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Commontimeformatvariables

vgdhavale10 · ‎05-27-2015

Thanks @Lowell.It worked in my case..

somesoni2 · ‎12-26-2013

Have you tried ...|eval DateTime1=strptime(DateTime1,"%Y-%m-%d %H:%M:%S.%3Q")?

sciurus · ‎12-26-2013

Is the [ and ] part of the actual value, or are you adding that in to the question? If it's part of the value, timeformat probably needs to know.

jsie_splunk · ‎12-24-2013

Can you provide a raw example of the event? Are you intending to handle the "57" in the above string as the seconds? Or "57.7667"?

shayhk · ‎12-24-2013

I tried

host=...
| table DateTime1

| convert timeformat="%Y-%m-%d %T" mktime(DateTime1) as _time

but the _time column is empty

the DateTime value is [2013-12-17 09:38:57.7667]

Convert string to date

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?