Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Highlighted

Convert string to date

shayhk
Explorer
‎12-24-2013 03:43 AM

Hi, I am tring to convert string data to date and find diff second
the problem is that i cant convert the string to date

...
|table Key DateTime1 DateTime2

Datetime1&2 formats are [2013-12-17 09:38:57.7667] and they are strings

i want to find the diff seconds between them

Tags (3)
0 Karma
Reply
Highlighted

Re: Convert string to date

shayhk
Explorer
‎12-24-2013 06:59 AM

I tried

host=...
| table DateTime1

| convert timeformat="%Y-%m-%d %T" mktime(DateTime1) as _time

but the _time column is empty

the DateTime value is [2013-12-17 09:38:57.7667]

0 Karma
Reply
Highlighted

Re: Convert string to date

jsie_splunk
Splunk Employee
Splunk Employee
‎12-24-2013 11:21 AM

Can you provide a raw example of the event? Are you intending to handle the "57" in the above string as the seconds? Or "57.7667"?

0 Karma
Reply
Highlighted

Re: Convert string to date

sciurus
Path Finder
‎12-26-2013 01:41 AM

Is the [ and ] part of the actual value, or are you adding that in to the question? If it's part of the value, timeformat probably needs to know.

0 Karma
Reply
Highlighted

Re: Convert string to date

somesoni2
SplunkTrust
SplunkTrust
‎12-26-2013 04:46 AM

Have you tried ...|eval DateTime1=strptime(DateTime1,"%Y-%m-%d %H:%M:%S.%3Q")?

0 Karma
Reply
Highlighted

Re: Convert string to date

Lowell
Super Champion
‎12-26-2013 01:58 PM 
<your search>
  | rex " (?<dt1>[0-9-]+ [0-9:.]+) (?<dt2>[0-9-]+ [0-9:.]+)"
  | eval dt1=strptime(dt1,"%Y-%m-%d %H:%M:%S.%3Q")
  | eval dt2=strptime(dt2,"%Y-%m-%d %H:%M:%S.%3Q")
  | eval diff=dt2-dt1
Reply
Highlighted
Highlighted

Re: Convert string to date

vgdhavale10
New Member
‎05-27-2015 02:22 AM

Thanks @Lowell.It worked in my case..

0 Karma
Reply