Convert this time format to epoch and simple date ...

bruno_eduardo · ‎04-14-2016

I have a time in the format of:
Dec 23, 2015 11:45:26 BRST

I'm trying to convert this to epoch time and later to a simple date format (dd/mm/year). Can anyone lend a hand?

Thanks!

woodcock · ‎04-26-2016

Assuming you have a field called my_time, try this:

| rex field=my_time mode=sed "s/ BRST$/ -0200/"
| eval my_time_epoch = strptime(my_time, "%b %d, %Y %H:%M:%S %Z")
| eval _time = my_time_epoch

We need to modify the timezone because Splunk does not recognize BRST.

javiergn · ‎04-14-2016

Keep an eye on your time zone as it could be a problem.

For instance, the following works (using UTC - 3)

| eval my_time = "Dec 23, 2015 11:38:00 -0300"
| eval my_time_epoch = strptime(my_time, "%b %d, %Y %H:%M:%S %z")
| eval _time = my_time_epoch

The following doesn't:

| eval my_time = "Dec 23, 2015 11:38:00 BRST"
| eval my_time_epoch = strptime(my_time, "%b %d, %Y %H:%M:%S %Z")
| eval _time = my_time_epoch

vasanthmss · ‎04-14-2016

Try this,

|stats c | eval date="Dec 23, 2015 11:45:26 BRST" | eval epoch=strptime(date, "%b %d,%Y %H:%M:%S" ) | convert ctime(epoch) as conv

Thanks,
V

V

muebel · ‎04-14-2016

Hi bruno_eduardo, I belive that the convert command will work for you in this case http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Convert

| convert mktime(timefield)

As the convert documentation hints, the strftime and strptime eval functions will help as well. http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions

Please let me know if this answers your question!

Convert this time format to epoch and simple date format