Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Issue with strptime
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey guys,
So I've used strptime before but for some reason this isn't working properly. I have a column with different types of data like below:
Column |Value ------------------ 02/2016 | 100 03/2016 | 200 04/2016 | 150 05/2016 | 450 high | 12 medium | 30 low | 34
I have a column that separates the dates from the rest. so with that me search s simple:
index="servers" filter="dates" | eval myDate = strptime(Column, "%m/%Y")|table myDate
"filter" would be the field thats used separate the date from other data. This search gives me nothing.
What would the problem and how would i get it to work?
Thanks in advanced!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue here is that strptime need both date and month to parse a string formated date to epoch. Year is optional. Your data doesn't have date part, hence strptime fails.
Option: add date part explicitly (when using month you anyways refer to first date of the month).
index="servers" filter="dates" | eval myDate = strptime("01/".Columns, "%d/%m/%Y")|table myDate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The issue here is that strptime need both date and month to parse a string formated date to epoch. Year is optional. Your data doesn't have date part, hence strptime fails.
Option: add date part explicitly (when using month you anyways refer to first date of the month).
index="servers" filter="dates" | eval myDate = strptime("01/".Columns, "%d/%m/%Y")|table myDate
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
+1, Somesoni Sir.
One question -
///Option: add date part explicitly (when using month you anyways refer to first date of the month).///
why refer to first date, when using month?!?
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take the reference of the timechart with span=1mon. All the _time value will be set to "01/Month/Year 00:00:00 AM". While bucketing Splunk assigns lower value to the bucket, for month it'll be first day.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked! Thank you for the great explanation!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The screen shot has a "Column" field, but the SPL has "Columns". Parsing a column that doesn't exist will yield nothing.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just an error when asking question. Fixed but the issue is still the same. Sorry about that
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
