Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Date type issue on extracted fields

clementros
Path Finder
‎12-05-2019 01:15 AM

Hi all,

I have two date fields extracted (with regex) from log files. 

starting_collection_timestamp = Thu Oct 17 22:40:10 GMT 2019
end_collection_timestamp = Thu Oct 17 22:40:21 GMT 2019

I tried to know the exact type for this fields with the command : 

| makeresults | eval t=typeof(starting_collection_timestamp)

Here is the result : 

        _time              |            t
 2019-11-29 08:56:43                 Invalid

When i tried to calculate the elapsed time between starting_collection_timestamp and end_collection_timestamp i have an empty field.

I tried to change the type with the command strptime without sucess. 

| eval strptime('starting_collection_timestamp', "%a %b %d %H:%M:%S %Z %Y")

Thank you for your help.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-05-2019 01:27 AM

@clementros

I think you should try this.

| makeresults 
| eval starting_collection_timestamp="Thu Oct 17 22:40:10 GMT 2019", end_collection_timestamp="Thu Oct 17 22:40:21 GMT 2019" 
| eval starting_collection_timestamp = strptime('starting_collection_timestamp', "%a %b %d %H:%M:%S %Z %Y") 
| eval end_collection_timestamp = strptime('end_collection_timestamp', "%a %b %d %H:%M:%S %Z %Y") 
| eval total_duration = end_collection_timestamp - starting_collection_timestamp 
| eval duration = tostring(total_duration, "duration")

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-05-2019 01:27 AM

@clementros

I think you should try this.

| makeresults 
| eval starting_collection_timestamp="Thu Oct 17 22:40:10 GMT 2019", end_collection_timestamp="Thu Oct 17 22:40:21 GMT 2019" 
| eval starting_collection_timestamp = strptime('starting_collection_timestamp', "%a %b %d %H:%M:%S %Z %Y") 
| eval end_collection_timestamp = strptime('end_collection_timestamp', "%a %b %d %H:%M:%S %Z %Y") 
| eval total_duration = end_collection_timestamp - starting_collection_timestamp 
| eval duration = tostring(total_duration, "duration")
Reply
Solved! Jump to solution

clementros
Path Finder
‎12-05-2019 03:02 AM

Thank you it works

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-05-2019 03:13 AM

Great @clementros. Please upvote and accept this answer to close this question.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...