Splunk Search

Issue with epoch time when using strptime() function

FeatureCreeep
Path Finder

This is driving me nuts because I use strptime all the time and have many of my own working examples to reference.

I was having a problem doing strptime with a more complex date that wasn't working so I kept making it more simple until even this isn't working.

... | eval TestYear="2017" | eval TestResult=strptime(TestYear,"%Y") | table TestYear, TestResult

Why isn't TestResult getting the epoch time for the year? The field is not being created. This is so simple that I'm clearly doing something dumb that I'm just too close to see.

Thanks guys

0 Karma
1 Solution

somesoni2
Revered Legend

You need minimum of month and date (%m and %d) to parse a string date using strptime. If not provided current year is taken. See this runanywhere example.

| gentimes start=-1 | eval date1=strptime("2017","%Y") | eval date2=strptime("12","%m") | eval date3=strptime("12","%d") | eval date4=strptime("2017-08","%Y-%m") | eval date5=strptime("08-03","%m-%d") | eval date6=strptime("2017-08-03","%Y-%m-%d") | convert ctime(*) as *_human | table date*

View solution in original post

0 Karma

somesoni2
Revered Legend

You need minimum of month and date (%m and %d) to parse a string date using strptime. If not provided current year is taken. See this runanywhere example.

| gentimes start=-1 | eval date1=strptime("2017","%Y") | eval date2=strptime("12","%m") | eval date3=strptime("12","%d") | eval date4=strptime("2017-08","%Y-%m") | eval date5=strptime("08-03","%m-%d") | eval date6=strptime("2017-08-03","%Y-%m-%d") | convert ctime(*) as *_human | table date*
0 Karma

DalJeanis
Legend

Yes, one of the more stupid things about this standard is that it is not reversible. The standard time translation shows only the %Y-%m for a time that is on the first of the month but strptime does not work backwards.

I would have designed a solo year to pull the first moment of that year, but that's just me.

0 Karma

FeatureCreeep
Path Finder

I'm marking this answer correct because it does explain why my "simple" example of my problem wasn't working. It turns out the my original problem was due to hidden special characters in the data string that I couldn't see unless I copied and pasted the string into an app that would display those characters. I had to create a regex in sed mode to strip out all the special characters and my original format string worked. Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think you may have run into a limitation of strptime. I get the same results as you, but strptime("2017/08/03","%Y/%m/%d") works ok. What is the original date you're trying to parse?

---
If this reply helps you, Karma would be appreciated.
0 Karma

FeatureCreeep
Path Finder

Ya, @somesoni2 pointed out that my "simple" example is too simple. My original issue was with a datetime like "2017‎-‎08‎-‎03T07:43:17.125751900". I was using "%Y-%m-%dT%H:%M:%S.%9Q" as the format string.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's the format string I would use. Not sure Splunk supports that level of precision, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...