Solved: Issue with epoch time when using strptime() functi...

FeatureCreeep · ‎08-03-2017

This is driving me nuts because I use strptime all the time and have many of my own working examples to reference.

I was having a problem doing strptime with a more complex date that wasn't working so I kept making it more simple until even this isn't working.

... | eval TestYear="2017" | eval TestResult=strptime(TestYear,"%Y") | table TestYear, TestResult

Why isn't TestResult getting the epoch time for the year? The field is not being created. This is so simple that I'm clearly doing something dumb that I'm just too close to see.

Thanks guys

somesoni2 · ‎08-03-2017

You need minimum of month and date (%m and %d) to parse a string date using strptime. If not provided current year is taken. See this runanywhere example.

| gentimes start=-1 | eval date1=strptime("2017","%Y") | eval date2=strptime("12","%m") | eval date3=strptime("12","%d") | eval date4=strptime("2017-08","%Y-%m") | eval date5=strptime("08-03","%m-%d") | eval date6=strptime("2017-08-03","%Y-%m-%d") | convert ctime(*) as *_human | table date*

View solution in original post

somesoni2 · ‎08-03-2017

You need minimum of month and date (%m and %d) to parse a string date using strptime. If not provided current year is taken. See this runanywhere example.

| gentimes start=-1 | eval date1=strptime("2017","%Y") | eval date2=strptime("12","%m") | eval date3=strptime("12","%d") | eval date4=strptime("2017-08","%Y-%m") | eval date5=strptime("08-03","%m-%d") | eval date6=strptime("2017-08-03","%Y-%m-%d") | convert ctime(*) as *_human | table date*

DalJeanis · ‎08-03-2017

Yes, one of the more stupid things about this standard is that it is not reversible. The standard time translation shows only the %Y-%m for a time that is on the first of the month but strptime does not work backwards.

I would have designed a solo year to pull the first moment of that year, but that's just me.

FeatureCreeep · ‎08-07-2017

I'm marking this answer correct because it does explain why my "simple" example of my problem wasn't working. It turns out the my original problem was due to hidden special characters in the data string that I couldn't see unless I copied and pasted the string into an app that would display those characters. I had to create a regex in sed mode to strip out all the special characters and my original format string worked. Thanks

richgalloway · ‎08-03-2017

I think you may have run into a limitation of strptime. I get the same results as you, but strptime("2017/08/03","%Y/%m/%d") works ok. What is the original date you're trying to parse?

---
If this reply helps you, Karma would be appreciated.

FeatureCreeep · ‎08-03-2017

Ya, @somesoni2 pointed out that my "simple" example is too simple. My original issue was with a datetime like "2017‎-‎08‎-‎03T07:43:17.125751900". I was using "%Y-%m-%dT%H:%M:%S.%9Q" as the format string.

richgalloway · ‎08-04-2017

That's the format string I would use. Not sure Splunk supports that level of precision, though.

---
If this reply helps you, Karma would be appreciated.

Issue with epoch time when using strptime() function

Monitoring MariaDB and MySQL

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Federated Analytics for Amazon Security Lake