Splunk Search

Converting date to epoch time

jvmerilla
Path Finder

Hi

I'm trying to convert a certain date to epoch time to calculate it with the current time. But for some reason it didn't work.

Here's my query:

index="sample_data" sourcetype="management_sampledata.csv" Status!=Closed
| eval reported_date = strptime("Reported Date", "%m/%d/%Y %H:%M")
| eval timenow = now()

The eval timenow = now() worked and it created a new field named "timenow". But the eval reported_date=strptime("Reported Date", "%m/%d/%Y %H:%M") didn't work. It does not create a new field named "reported_date" and so it did not convert the "Reported Date" to epoch time.

What could be the problem with this query.

Thanks in advance!

0 Karma
1 Solution

harsmarvania57
SplunkTrust
SplunkTrust

Hi @jvmerilla,

You are facing problem because there is whitespace in your Date field name you are giving it in " in strptime so please use below query

 index="sample_data" sourcetype="management_sampledata.csv" Status!=Closed
| rename "Reported Date" AS Reported_Date
| eval reported_date = strptime(Reported_Date, "%m/%d/%Y %H:%M")
| eval timenow = now()

I hope this helps.

Thanks,
Harshil

View solution in original post

hortoristic
New Member

I can't seem to get the above snippet to change my Ephoch timestamp column to readable date - what am I doing wrong:

(index="wsecu_apps" OR index="wsecu_mobile_app") (username="" AND Useragent="" AND http_method=POST) OR (username="" AND http_user_agent="") | table username, http_user_agent, Useragent, eval timestamp = strptime(timestamp, "%m/%d/%Y %H:%M"),I'm still getting strangness.

Here is my query, the "timestamp" column is in the Epoch time and I just wanted to convert it to readable date:
(index="wsecu_apps" OR index="wsecu_mobile_app") (username="" AND Useragent="" AND http_method=POST) OR (username="" AND http_user_agent="") | table username, http_user_agent, Useragent, eval timestamp = strptime(timestamp, "%m/%d/%Y %H:%M")

The query won't even run.

0 Karma

dsiob
Communicator

You can use as it is:

index="sample_data" sourcetype="management_sampledata.csv" Status!=Closed
| eval reported_date = strptime('Reported Date', "%m/%d/%Y %H:%M")
| eval timenow = now()

Just need to use single quotes instead of double quotes.

0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

Hi @jvmerilla,

You are facing problem because there is whitespace in your Date field name you are giving it in " in strptime so please use below query

 index="sample_data" sourcetype="management_sampledata.csv" Status!=Closed
| rename "Reported Date" AS Reported_Date
| eval reported_date = strptime(Reported_Date, "%m/%d/%Y %H:%M")
| eval timenow = now()

I hope this helps.

Thanks,
Harshil

jvmerilla
Path Finder

Hi @harsmarvania57,

It works!

Thank you so much! 🙂

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...