Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Issue with strptime
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey guys,
So I've used strptime before but for some reason this isn't working properly. I have a column with different types of data like below:
Column |Value ------------------ 02/2016 | 100 03/2016 | 200 04/2016 | 150 05/2016 | 450 high | 12 medium | 30 low | 34
I have a column that separates the dates from the rest. so with that me search s simple:
index="servers" filter="dates" | eval myDate = strptime(Column, "%m/%Y")|table myDate
"filter" would be the field thats used separate the date from other data. This search gives me nothing.
What would the problem and how would i get it to work?
Thanks in advanced!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue here is that strptime need both date and month to parse a string formated date to epoch. Year is optional. Your data doesn't have date part, hence strptime fails.
Option: add date part explicitly (when using month you anyways refer to first date of the month).
index="servers" filter="dates" | eval myDate = strptime("01/".Columns, "%d/%m/%Y")|table myDate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue here is that strptime need both date and month to parse a string formated date to epoch. Year is optional. Your data doesn't have date part, hence strptime fails.
Option: add date part explicitly (when using month you anyways refer to first date of the month).
index="servers" filter="dates" | eval myDate = strptime("01/".Columns, "%d/%m/%Y")|table myDate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+1, Somesoni Sir.
One question -
///Option: add date part explicitly (when using month you anyways refer to first date of the month).///
why refer to first date, when using month?!?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take the reference of the timechart with span=1mon. All the _time value will be set to "01/Month/Year 00:00:00 AM". While bucketing Splunk assigns lower value to the bucket, for month it'll be first day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked! Thank you for the great explanation!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The screen shot has a "Column" field, but the SPL has "Columns". Parsing a column that doesn't exist will yield nothing.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just an error when asking question. Fixed but the issue is still the same. Sorry about that
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Automating Threat Operations and Threat Hunting with Recorded Future
Keep the Learning Going with the New Best of .conf Hub
Splunk Community Badges!
