Splunk Search

Issue with epoch time when using strptime() function

FeatureCreeep
Path Finder

This is driving me nuts because I use strptime all the time and have many of my own working examples to reference.

I was having a problem doing strptime with a more complex date that wasn't working so I kept making it more simple until even this isn't working.

... | eval TestYear="2017" | eval TestResult=strptime(TestYear,"%Y") | table TestYear, TestResult

Why isn't TestResult getting the epoch time for the year? The field is not being created. This is so simple that I'm clearly doing something dumb that I'm just too close to see.

Thanks guys

0 Karma
1 Solution

somesoni2
Revered Legend

You need minimum of month and date (%m and %d) to parse a string date using strptime. If not provided current year is taken. See this runanywhere example.

| gentimes start=-1 | eval date1=strptime("2017","%Y") | eval date2=strptime("12","%m") | eval date3=strptime("12","%d") | eval date4=strptime("2017-08","%Y-%m") | eval date5=strptime("08-03","%m-%d") | eval date6=strptime("2017-08-03","%Y-%m-%d") | convert ctime(*) as *_human | table date*

View solution in original post

0 Karma

somesoni2
Revered Legend

You need minimum of month and date (%m and %d) to parse a string date using strptime. If not provided current year is taken. See this runanywhere example.

| gentimes start=-1 | eval date1=strptime("2017","%Y") | eval date2=strptime("12","%m") | eval date3=strptime("12","%d") | eval date4=strptime("2017-08","%Y-%m") | eval date5=strptime("08-03","%m-%d") | eval date6=strptime("2017-08-03","%Y-%m-%d") | convert ctime(*) as *_human | table date*
0 Karma

DalJeanis
Legend

Yes, one of the more stupid things about this standard is that it is not reversible. The standard time translation shows only the %Y-%m for a time that is on the first of the month but strptime does not work backwards.

I would have designed a solo year to pull the first moment of that year, but that's just me.

0 Karma

FeatureCreeep
Path Finder

I'm marking this answer correct because it does explain why my "simple" example of my problem wasn't working. It turns out the my original problem was due to hidden special characters in the data string that I couldn't see unless I copied and pasted the string into an app that would display those characters. I had to create a regex in sed mode to strip out all the special characters and my original format string worked. Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think you may have run into a limitation of strptime. I get the same results as you, but strptime("2017/08/03","%Y/%m/%d") works ok. What is the original date you're trying to parse?

---
If this reply helps you, Karma would be appreciated.
0 Karma

FeatureCreeep
Path Finder

Ya, @somesoni2 pointed out that my "simple" example is too simple. My original issue was with a datetime like "2017‎-‎08‎-‎03T07:43:17.125751900". I was using "%Y-%m-%dT%H:%M:%S.%9Q" as the format string.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's the format string I would use. Not sure Splunk supports that level of precision, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...