Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Time conversion for AWS Cloudtrail logs using strptime() and strftime() not working

ezamit
Explorer
‎01-30-2024 01:09 PM

My original time format in the search is 

eventID: d7d2d438-cc61-4e74-9e9a-3fd8ae96388d
   eventName: StartInstances
   eventSource: ec2.amazonaws.com
   eventTime2024-01-30T05:00:27Z
   eventType: AwsApiCall

I am not able to convert it using the strptime function 

eval dt_year_epoc = strptime(eventTime, "%Y-%m-%dThh:mm:ssZ")

eval dt_day= strftime(dt_year_epoc, "%d")

Nothing comes up in dt_day

 

 

 

Labels (1)
Labels
0 Karma
Reply

amitshrigoel
Explorer
‎01-30-2024 04:28 PM

Thanks. I was able to use strptime and convert it to Epoch and use strftime to the format i wanted. Thank you. 

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-30-2024 03:15 PM

Is the semantic meaning of of dt_day day of year?  For that, Splunk uses %j. (%d is day of month.  But you cannot have day of month without month.)  Meanwhile, it is much better to simply convert the entire eventTime to epoc.

 

| makeresults format=csv data="eventTime
2024-01-30T05:00:27Z"
``` data emulation above ```
| eval eventTime = strptime(eventTime, "%Y-%m-%dT%H:%M:%SZ")
| eval dt_day = strftime(eventTime, "%j")
| fieldformat eventTime = strftime(eventTime, "%F %T")

 

For this you get

dt_dayeventTime
0302024-01-30 05:00:27

But if you really want day of month without month, you can skip all the conversion and treat eventTime as a simple string.

 

| makeresults format=csv data="eventTime
2024-01-30T05:00:27Z"
``` data emulation above ```
| eval dt_year = mvindex(split(eventTime, "T"), 0)
| eval dt_day = mvindex(split(dt_year, "-"), -1)

 

This gives you

dt_daydt_yeareventTime
302024-01-302024-01-30T05:00:27Z

Hope this helps. 

Reply
Get Updates on the Splunk Community!

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...