Splunk Search

Eval expression with gentimes is not generating new fileds

jagadeeshm
Contributor

Here is my SPL -

| gentimes start=02/07/2017 end=02/08/2017 increment=1h 
| convert timeformat="%Y-%m-%d %H:%M:%S" ctime(starttime) as _time 
| fields _time 
| eval HourOfDay=strftime(_time, "%H") 
| eval BucketMinuteOfHour=strftime(_time, "%M")

Why is this not generating HourOfDay and BucketMinuteOfHour fields in the results?

Thanks!

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI @jagadeeshm,

Can you please try below two searches?

I don't know why you format the time but below is working for me. Only value of increment parameter is different. Please check it nad see the difference.

| gentimes start=02/07/2017 end=02/08/2017 increment=1m 
 | rename starttime as _time 
 | fields _time 
 | eval HourOfDay=strftime(_time, "%H") 
 | eval BucketMinuteOfHour=strftime(_time, "%M")

AND

| gentimes start=02/07/2017 end=02/08/2017 increment=1s 
 | rename starttime as _time 
 | fields _time 
 | eval HourOfDay=strftime(_time, "%H") 
 | eval BucketMinuteOfHour=strftime(_time, "%M")

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI @jagadeeshm,

Can you please try below two searches?

I don't know why you format the time but below is working for me. Only value of increment parameter is different. Please check it nad see the difference.

| gentimes start=02/07/2017 end=02/08/2017 increment=1m 
 | rename starttime as _time 
 | fields _time 
 | eval HourOfDay=strftime(_time, "%H") 
 | eval BucketMinuteOfHour=strftime(_time, "%M")

AND

| gentimes start=02/07/2017 end=02/08/2017 increment=1s 
 | rename starttime as _time 
 | fields _time 
 | eval HourOfDay=strftime(_time, "%H") 
 | eval BucketMinuteOfHour=strftime(_time, "%M")

Thanks

jagadeeshm
Contributor

Thanks! It works for most part, but I don't see the seconds in the time.

0 Karma

jagadeeshm
Contributor

Ok, If I use ctime later it works -

| gentimes start=02/07/2017 end=02/08/2017 increment=1h 
| rename starttime as _time
 | fields _time 
 | eval HourOfDay=strftime(_time, "%H") 
 | eval BucketMinuteOfHour=strftime(_time, "%M")
 | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(_time) as _time 

Intersting!

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Yeah..
Your issue resolved?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...