- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is driving me nuts because I use strptime all the time and have many of my own working examples to reference.
I was having a problem doing strptime with a more complex date that wasn't working so I kept making it more simple until even this isn't working.
... | eval TestYear="2017" | eval TestResult=strptime(TestYear,"%Y") | table TestYear, TestResult
Why isn't TestResult getting the epoch time for the year? The field is not being created. This is so simple that I'm clearly doing something dumb that I'm just too close to see.
Thanks guys
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need minimum of month and date (%m and %d) to parse a string date using strptime. If not provided current year is taken. See this runanywhere example.
| gentimes start=-1 | eval date1=strptime("2017","%Y") | eval date2=strptime("12","%m") | eval date3=strptime("12","%d") | eval date4=strptime("2017-08","%Y-%m") | eval date5=strptime("08-03","%m-%d") | eval date6=strptime("2017-08-03","%Y-%m-%d") | convert ctime(*) as *_human | table date*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need minimum of month and date (%m and %d) to parse a string date using strptime. If not provided current year is taken. See this runanywhere example.
| gentimes start=-1 | eval date1=strptime("2017","%Y") | eval date2=strptime("12","%m") | eval date3=strptime("12","%d") | eval date4=strptime("2017-08","%Y-%m") | eval date5=strptime("08-03","%m-%d") | eval date6=strptime("2017-08-03","%Y-%m-%d") | convert ctime(*) as *_human | table date*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, one of the more stupid things about this standard is that it is not reversible. The standard time translation shows only the %Y-%m for a time that is on the first of the month but strptime does not work backwards.
I would have designed a solo year to pull the first moment of that year, but that's just me.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm marking this answer correct because it does explain why my "simple" example of my problem wasn't working. It turns out the my original problem was due to hidden special characters in the data string that I couldn't see unless I copied and pasted the string into an app that would display those characters. I had to create a regex in sed mode to strip out all the special characters and my original format string worked. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you may have run into a limitation of strptime. I get the same results as you, but strptime("2017/08/03","%Y/%m/%d") works ok. What is the original date you're trying to parse?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ya, @somesoni2 pointed out that my "simple" example is too simple. My original issue was with a datetime like "2017-08-03T07:43:17.125751900". I was using "%Y-%m-%dT%H:%M:%S.%9Q" as the format string.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's the format string I would use. Not sure Splunk supports that level of precision, though.
If this reply helps you, Karma would be appreciated.
