Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Convert string to date
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Convert string to date
shayhk
Explorer
12-24-2013
03:43 AM
Hi, I am tring to convert string data to date and find diff second
the problem is that i cant convert the string to date
...
|table Key DateTime1 DateTime2
Datetime1&2 formats are [2013-12-17 09:38:57.7667] and they are strings
i want to find the diff seconds between them
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Lowell
Super Champion
12-26-2013
01:58 PM
<your search>
| rex " (?<dt1>[0-9-]+ [0-9:.]+) (?<dt2>[0-9-]+ [0-9:.]+)"
| eval dt1=strptime(dt1,"%Y-%m-%d %H:%M:%S.%3Q")
| eval dt2=strptime(dt2,"%Y-%m-%d %H:%M:%S.%3Q")
| eval diff=dt2-dt1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
matthewcanty
Communicator
01-08-2014
03:53 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vgdhavale10
New Member
05-27-2015
02:22 AM
Thanks @Lowell.It worked in my case..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
12-26-2013
04:46 AM
Have you tried ...|eval DateTime1=strptime(DateTime1,"%Y-%m-%d %H:%M:%S.%3Q")?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sciurus
Path Finder
12-26-2013
01:41 AM
Is the [ and ] part of the actual value, or are you adding that in to the question? If it's part of the value, timeformat probably needs to know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jsie_splunk
Splunk Employee
12-24-2013
11:21 AM
Can you provide a raw example of the event? Are you intending to handle the "57" in the above string as the seconds? Or "57.7667"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shayhk
Explorer
12-24-2013
06:59 AM
I tried
host=...
| table DateTime1
| convert timeformat="%Y-%m-%d %T" mktime(DateTime1) as _time
but the _time column is empty
the DateTime value is [2013-12-17 09:38:57.7667]
Related Topics
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
