Solved: How to convert this string into a usable time form...

jperezes · ‎03-02-2017

Hi and thanks in advance,

I am trying to convert the following time example field:

2017-03-02T09:41:38.405Z

into a Splunk time format so I can get time windows to use in streamstats.
thing is with the T in the middle and the Z at the end, all the tries I am doing with strptime are failing.
I tried the following:

|eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S.%3QZ")

but no luck, any idea?

Rgds,
Juan

woodcock · ‎03-02-2017

2017-03-02T09:41:38.405Z

Like this (The trailing Z is for Zulu, AKA GMT so you need to grab the TZ with %Z😞

| eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S.%3N%Z")

View solution in original post

woodcock · ‎03-02-2017

2017-03-02T09:41:38.405Z

Like this (The trailing Z is for Zulu, AKA GMT so you need to grab the TZ with %Z😞

| eval time=strptime(timeValue,"%Y-%m-%dT%H:%M:%S.%3N%Z")

jperezes · ‎03-08-2017

Thanks, sorry for late reply but was trying bits and pieces but couldn't get what I wanted; get the streamstats based on next time specifiead in the json data, not the arrival time. So far no luck on all my tries, not sure if is possible. Will post another question.

Thanks anyway.

How to convert this string into a usable time format?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar

Are you a member of the Splunk Community?

How to convert this string into a usable time format?

Pro Tips for First-Time .conf Attendees: Advice from SplunkTrust

Raise Your Skills at the .conf25 Builder Bar: Your Splunk Developer Destination

Hunt Smarter, Not Harder: Discover New SPL “Recipes” in Our Threat Hunting Webinar