Splunk Search

Convert this time format to epoch and simple date format

bruno_eduardo
Path Finder

I have a time in the format of:
Dec 23, 2015 11:45:26 BRST

I'm trying to convert this to epoch time and later to a simple date format (dd/mm/year). Can anyone lend a hand?

Thanks!

0 Karma

woodcock
Esteemed Legend

Assuming you have a field called my_time, try this:

| rex field=my_time mode=sed "s/ BRST$/ -0200/"
| eval my_time_epoch = strptime(my_time, "%b %d, %Y %H:%M:%S %Z")
| eval _time = my_time_epoch

We need to modify the timezone because Splunk does not recognize BRST.

0 Karma

javiergn
Super Champion

Keep an eye on your time zone as it could be a problem.

For instance, the following works (using UTC - 3)

| eval my_time = "Dec 23, 2015 11:38:00 -0300"
| eval my_time_epoch = strptime(my_time, "%b %d, %Y %H:%M:%S %z")
| eval _time = my_time_epoch

The following doesn't:

| eval my_time = "Dec 23, 2015 11:38:00 BRST"
| eval my_time_epoch = strptime(my_time, "%b %d, %Y %H:%M:%S %Z")
| eval _time = my_time_epoch

vasanthmss
Motivator

Try this,

|stats c | eval date="Dec 23, 2015 11:45:26 BRST" | eval epoch=strptime(date, "%b %d,%Y %H:%M:%S" ) | convert ctime(epoch) as conv

Read more on date variables in the below link,
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Commontimeformatvariables
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Convert

Thanks,
V

V
0 Karma

muebel
SplunkTrust
SplunkTrust

Hi bruno_eduardo, I belive that the convert command will work for you in this case http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Convert

| convert mktime(timefield)

As the convert documentation hints, the strftime and strptime eval functions will help as well. http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions

Please let me know if this answers your question!

Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...