Splunk Search

Issue with epoch time when using strptime() function

FeatureCreeep
Path Finder

This is driving me nuts because I use strptime all the time and have many of my own working examples to reference.

I was having a problem doing strptime with a more complex date that wasn't working so I kept making it more simple until even this isn't working.

... | eval TestYear="2017" | eval TestResult=strptime(TestYear,"%Y") | table TestYear, TestResult

Why isn't TestResult getting the epoch time for the year? The field is not being created. This is so simple that I'm clearly doing something dumb that I'm just too close to see.

Thanks guys

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

You need minimum of month and date (%m and %d) to parse a string date using strptime. If not provided current year is taken. See this runanywhere example.

| gentimes start=-1 | eval date1=strptime("2017","%Y") | eval date2=strptime("12","%m") | eval date3=strptime("12","%d") | eval date4=strptime("2017-08","%Y-%m") | eval date5=strptime("08-03","%m-%d") | eval date6=strptime("2017-08-03","%Y-%m-%d") | convert ctime(*) as *_human | table date*

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You need minimum of month and date (%m and %d) to parse a string date using strptime. If not provided current year is taken. See this runanywhere example.

| gentimes start=-1 | eval date1=strptime("2017","%Y") | eval date2=strptime("12","%m") | eval date3=strptime("12","%d") | eval date4=strptime("2017-08","%Y-%m") | eval date5=strptime("08-03","%m-%d") | eval date6=strptime("2017-08-03","%Y-%m-%d") | convert ctime(*) as *_human | table date*
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Yes, one of the more stupid things about this standard is that it is not reversible. The standard time translation shows only the %Y-%m for a time that is on the first of the month but strptime does not work backwards.

I would have designed a solo year to pull the first moment of that year, but that's just me.

0 Karma

FeatureCreeep
Path Finder

I'm marking this answer correct because it does explain why my "simple" example of my problem wasn't working. It turns out the my original problem was due to hidden special characters in the data string that I couldn't see unless I copied and pasted the string into an app that would display those characters. I had to create a regex in sed mode to strip out all the special characters and my original format string worked. Thanks

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I think you may have run into a limitation of strptime. I get the same results as you, but strptime("2017/08/03","%Y/%m/%d") works ok. What is the original date you're trying to parse?

---
If this reply helps you, Karma would be appreciated.
0 Karma

FeatureCreeep
Path Finder

Ya, @somesoni2 pointed out that my "simple" example is too simple. My original issue was with a datetime like "2017‎-‎08‎-‎03T07:43:17.125751900". I was using "%Y-%m-%dT%H:%M:%S.%9Q" as the format string.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

That's the format string I would use. Not sure Splunk supports that level of precision, though.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...