Splunk Search

Converting String to date

SAPrabhakar
Explorer

I am trying to convert the string "08/04/16 09:40:41.690" to a date in splunk. I think that I am supposed to use some combination of strptime and strftime but I can't figure it you. I thought that eval testTime = strptime(message.facets.requestStart, "%m/%d/%Y %I:%M:%S:%3Q") would do the trick but that doesn't seem to work.

0 Karma
1 Solution

sundareshr
Legend

Try this

| makeresults | eval x="08/04/16 09:40:41.690" | eval y=strptime(x, "%m/%d/%y %H:%M:%S") | eval z=strftime(y, "%m/%d/%Y") | table x y z

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this
To convert to epoch

your base search | eval testTime = strptime('message.facets.requestStart', "%m/%d/%Y %H:%M:%S:%N")

To convert to epoch and round to start of the day

your base search | eval testTime = relative_time(strptime('message.facets.requestStart', "%m/%d/%Y %H:%M:%S:%N"),"@d")
0 Karma

sundareshr
Legend

Try this

| makeresults | eval x="08/04/16 09:40:41.690" | eval y=strptime(x, "%m/%d/%y %H:%M:%S") | eval z=strftime(y, "%m/%d/%Y") | table x y z
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...