Solved: Eval () not creating a new field for timestamp ext...

neerajs_81 · ‎04-20-2022

Hi All,

In my raw events, there is a field called "dv_last_login_time" ( already indexed) as shown below that shows timestamp in a human readable format. I need to extract the hour value out of this . All i am doing is running the following eval command but this does not end up creating any new field date_hour. In short it doesn't seem to work. What could be the issue?

 eval date_hour=strftime(dv_last_login_time, "%H")

In Contrast, if i use _time which is also in human readable format, instead of dv_last_login_time , eval() works as expected and we see a new field called date_hour created

 eval date_hour=strftime(_time, "%H")

Secondly, assuming we are able to extract the hour successfully how to add +9 hours to the same field. My end goal is to do something like | where duration > date_hour and < date_hour +9

isoutamo · ‎04-20-2022

Hi

you must 1st convert human readable fort mat to epoch and then take that hour part or just split text string to correct parts.

| makeresults 
| fields - _time
| eval dv_last_login_time="2022-04-20 10:10:22"
``` Generate sample value for use ```
| eval date_hour=strftime(strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S"), "%H")

Easiest way to add 9h to it is add it on when field is in epoch format and then convert that to hours

| makeresults 
| fields - _time
| eval dv_last_login_time="2022-04-20 10:10:22"
``` Generate sample value for use ```
| eval epoch9=strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S") + (9 * 60 * 60)
| eval date_hour9=strftime(epoch9, "%H")
| eval epoch=strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S") + (9 * 60 * 60)
| eval date_hour=strftime(epoch, "%H")
.....
| where duration > date_hour AND duration < date_hour9

But remember that your date_hour9 can be less than date_hour when original hour + 9 > 23!

r. Ismo

View solution in original post

isoutamo · ‎04-20-2022

Hi

you must 1st convert human readable fort mat to epoch and then take that hour part or just split text string to correct parts.

| makeresults 
| fields - _time
| eval dv_last_login_time="2022-04-20 10:10:22"
``` Generate sample value for use ```
| eval date_hour=strftime(strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S"), "%H")

Easiest way to add 9h to it is add it on when field is in epoch format and then convert that to hours

| makeresults 
| fields - _time
| eval dv_last_login_time="2022-04-20 10:10:22"
``` Generate sample value for use ```
| eval epoch9=strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S") + (9 * 60 * 60)
| eval date_hour9=strftime(epoch9, "%H")
| eval epoch=strptime(dv_last_login_time,"%Y-%m-%d %H:%M:%S") + (9 * 60 * 60)
| eval date_hour=strftime(epoch, "%H")
.....
| where duration > date_hour AND duration < date_hour9

But remember that your date_hour9 can be less than date_hour when original hour + 9 > 23!

r. Ismo

neerajs_81 · ‎04-20-2022

Thank you both for the detailed information. I was easily lost in these concepts.

PickleRick · ‎04-20-2022

If your field contains a string it is treated as a string. It's not a timestamp to splunk. And you can't manipulate it as such (rendering to strings, adding/substracting offsets and so on).

You'd need to strptime it to a numerical timestamp first.

If it's an indexed field, consider parsing it out as a timestamp first so you'll be able to use it "straight".

Eval () not creating a new field for timestamp extraction

eval

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!