Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine two separate date and time fields into one timestamp field?

bcusick
Communicator
‎09-02-2014 01:53 PM

Hi, I have two separate fields that I'd like to combine into 1 timestamp field.

The fields are formatted "YYMMDD" and "HHMMSS"

I'd like to combine and eval them to read "mm/dd/yyyy hh:mm:ss".

Does anyone have any experience with this? The fields are "TRADE_YYMMDD" and "EXEC_TIME_HHMMSS"

Tags (4)
0 Karma
Reply

kristian_kolb
Ultra Champion
‎09-03-2014 12:06 PM

If you have (as @kbecker shows) created a field which holds the combined date and time information, you can get the epoch representation like so;

your_search 
| eval combined_epoch = strptime(combined, "%y%m%d %H%M%S") 
| eval nice_date = strftime(combined_epoch, "%m/%d/%y %H:%M:%S")

Note that it is important that the strptime variables actually match the contents of the field combined. In this case 

140823 095421

is ok, but none of the following will work;

20140823 09:54:21
14.08.23 095421
2014-08-23 09:54:21

So basically you need to look at the data you have, and specify how parse the time string into epoch (str*ptime). Then you can decide yourself how you want to **format* the epoch timestamp (str*f*time).

See the docs, or link below for common variables;

http://www.strftime.net

/K

Reply

kristian_kolb
Ultra Champion
‎09-04-2014 12:18 PM

%e is for days 1..31,
instead of %d, which is 01..31

/k

Reply

bcusick
Communicator
‎09-04-2014 11:37 AM

So far so good on this one. The only discrepency I am seeing is the fact that it contains a "zero" in the month if it's a single-digit month. Is there any way to get rid of that?

sourcedata: 140823 090421

New field: 08/23/2014 09:54:21 AM

And what I'm looking for is: 8/23/2014 9:54:21 AM. It just needs to be an exact match to an already existing field in this format. Thanks

0 Karma
Reply

kbecker
Communicator
‎09-02-2014 02:44 PM

You can use the eval function for example

| eval combined = TRADE_YYMMDD." ".EXEC_TIME_HHMMSS

Reply

kbecker
Communicator
‎09-02-2014 05:31 PM

After you combine the fields use convert mktime to convert the time from human readable to epoch.

http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Convert

Reply

bcusick
Communicator
‎09-02-2014 05:10 PM

Thanks..I can combine the fields, but how about getting them into epoch? I fear that just throwing them together won't give me the correct time that I can convert correctly..or am I looking too far into this?

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...