Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trouble with date conversion

mistydennis
Communicator
‎09-29-2022 12:17 PM

I need to create a field (30days) with a date 30 days from the date in a given field (pubdate). I believe I have that part working, but can't seem to get the date to convert to the format I want.

|makeresults
|eval pubdate="2022-09-30,2021-08-31"
|makemv delim="," pubdate
|mvexpand pubdate
|eval epochtime=strptime(pubdate, "%Y-%m-%d") 
|eval 30days=epochtime + 2592000
|convert ctime(30days)
|table pubdate, 30days


Which produces:

pubdate30days
2022-09-3010/30/2022 00:00:00.000000
2021-08-3109/30/2021 00:00:00.000000

 

All I want to do is to format the 30days date field the same was as pubdate - "%Y-%m-%d". Everything I'm trying is producing an error.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2022 01:23 PM

The convert command has options to control the format of the time string, but I prefer to use strftime.

|makeresults
|eval pubdate="2022-09-30,2021-08-31"
|makemv delim="," pubdate
|mvexpand pubdate
|eval epochtime=strptime(pubdate, "%Y-%m-%d") 
|eval 30days=relative_time(epochtime, "+30d")
|eval 30days=strftime('30days', "%Y-%m-%d")
|table pubdate, 30days

I also used relative_time() to compute the new timestamp.

I didn't do it in my example, but try to avoid field names beginning with digits as they can confuse the parser.  For instance, the strftime call failed until I used single quotes around the first argument.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-29-2022 01:23 PM

The convert command has options to control the format of the time string, but I prefer to use strftime.

|makeresults
|eval pubdate="2022-09-30,2021-08-31"
|makemv delim="," pubdate
|mvexpand pubdate
|eval epochtime=strptime(pubdate, "%Y-%m-%d") 
|eval 30days=relative_time(epochtime, "+30d")
|eval 30days=strftime('30days', "%Y-%m-%d")
|table pubdate, 30days

I also used relative_time() to compute the new timestamp.

I didn't do it in my example, but try to avoid field names beginning with digits as they can confuse the parser.  For instance, the strftime call failed until I used single quotes around the first argument.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

mistydennis
Communicator
‎09-29-2022 01:34 PM

Thank you, @richgalloway ! I see you have answered MANY questions regarding date and timestamps here - maybe it's time for you to just write a book and help us all out 🙂

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-29-2022 01:27 PM

In most cases I also prefer to use strftime, but in adhoc  queries and especially with mv fields, it’s easier way to convert all values.

0 Karma
Reply
Solved! Jump to solution

isoutamo
SplunkTrust
SplunkTrust
‎09-29-2022 01:18 PM

Hi

have you tried 

...
| convert timeformat="%Y-%m-%d" ctimes(30days)

r. Ismo 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...