Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract hour from timestamp in format "YYYY-mm-ddTHH:MM:SS.3NZ"?

pedropiin
Path Finder
2 weeks ago

Hi everyone. 

I suppose this is a very simple question, but I'm new to Splunk and I've tried everything that I have knowledge of. 

The field that contains the timestamp is called "payload.eventProcessedAt"
Trying to parse with 

| eval time_var=strptime(payload.eventProcessedAt, "%Y-%m-%dT%H:%M:%S.%3NZ")

 doesn't work, giving my only "null/empty" values. The same occurs with "strftime".

How can I do this?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

Try like this

| eval time_var=strptime('payload.eventProcessedAt', "%Y-%m-%dT%H:%M:%S.%3NZ")

Field names which contain special characters (including a dot) on the right hand side of an evaluate should be enclosed in single quotes

View solution in original post

Reply
Solved! Jump to solution

livehybrid
Influencer
2 weeks ago

hi @pedropiin 

Does this work?

| eval time_var=strptime(json_extract(_raw,"payload.eventProcessedAt"), "%Y-%m-%dT%H:%M:%S")

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
2 weeks ago

Try like this

| eval time_var=strptime('payload.eventProcessedAt', "%Y-%m-%dT%H:%M:%S.%3NZ")

Field names which contain special characters (including a dot) on the right hand side of an evaluate should be enclosed in single quotes

Reply
Solved! Jump to solution

pedropiin
Path Finder
2 weeks ago

Thank you so much! This was it. 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
2 weeks ago

Hi @pedropiin ,

let me understand: your datetime to use to exct hours is in epochtime or human readable format?

I understood that you want to extract the hours from your datetime, is it correct?

the strptime function is used to convert from human readable in epochtime, if you have a value in this format: 2025-02-28T14:42:25.123, you can extract the hours valu in two ways:

| eval time_var=strftime(strptime(payload.eventProcessedAt, "%Y-%m-%dT%H:%M:%S.%3NZ"),"%H")

or

| eval time_var=substr(eventProcessedAt,12,2)

Ciao.

Giuseppe

 

Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top