Solved: Eval () not creating a new field for timestamp ext...

neerajs_81 · ‎04-20-2022

Hi All,

In my raw events, there is a field called "dv_last_login_time" ( already indexed) as shown below that shows timestamp in a human readable format. I need to extract the hour value out of this . All i am doing is running the following eval command but this does not end up creating any new field date_hour. In short it doesn't seem to work. What could be the issue?

 eval date_hour=strftime(dv_last_login_time, "%H")

In Contrast, if i use _time which is also in human readable format, instead of dv_last_login_time , eval() works as expected and we see a new field called date_hour created

 eval date_hour=strftime(_time, "%H")

Secondly, assuming we are able to extract the hour successfully how to add +9 hours to the same field. My end goal is to do something like | where duration > date_hour and < date_hour +9

isoutamo · ‎04-20-2022

Hi

you must 1st convert human readable fort mat to epoch and then take that hour part or just split text string to correct parts.

| makeresults 
| fields - _time
| eval dv_last_login_time="2022-04-20 10:10:22"
``` Generate sample value for use ```
| eval date_hour=strftime(strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S"), "%H")

Easiest way to add 9h to it is add it on when field is in epoch format and then convert that to hours

| makeresults 
| fields - _time
| eval dv_last_login_time="2022-04-20 10:10:22"
``` Generate sample value for use ```
| eval epoch9=strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S") + (9 * 60 * 60)
| eval date_hour9=strftime(epoch9, "%H")
| eval epoch=strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S") + (9 * 60 * 60)
| eval date_hour=strftime(epoch, "%H")
.....
| where duration > date_hour AND duration < date_hour9

But remember that your date_hour9 can be less than date_hour when original hour + 9 > 23!

r. Ismo

View solution in original post

isoutamo · ‎04-20-2022

Hi

you must 1st convert human readable fort mat to epoch and then take that hour part or just split text string to correct parts.

| makeresults 
| fields - _time
| eval dv_last_login_time="2022-04-20 10:10:22"
``` Generate sample value for use ```
| eval date_hour=strftime(strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S"), "%H")

Easiest way to add 9h to it is add it on when field is in epoch format and then convert that to hours

| makeresults 
| fields - _time
| eval dv_last_login_time="2022-04-20 10:10:22"
``` Generate sample value for use ```
| eval epoch9=strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S") + (9 * 60 * 60)
| eval date_hour9=strftime(epoch9, "%H")
| eval epoch=strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S") + (9 * 60 * 60)
| eval date_hour=strftime(epoch, "%H")
.....
| where duration > date_hour AND duration < date_hour9

But remember that your date_hour9 can be less than date_hour when original hour + 9 > 23!

r. Ismo

neerajs_81 · ‎04-20-2022

Thank you both for the detailed information. I was easily lost in these concepts.

PickleRick · ‎04-20-2022

If your field contains a string it is treated as a string. It's not a timestamp to splunk. And you can't manipulate it as such (rendering to strings, adding/substracting offsets and so on).

You'd need to strptime it to a numerical timestamp first.

If it's an indexed field, consider parsing it out as a timestamp first so you'll be able to use it "straight".

Eval () not creating a new field for timestamp extraction

eval

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?

Splunk Education Goes to Washington | Splunk GovSummit 2024