Solved: Unable to eval correct epoch time

smuderasi · ‎08-22-2017

host=*****|  eval Time="17:00:00"|eval Time2="13:00:00" |eval Time=strptime(Time,"%H:%M:%S")  |eval Time2=strptime(Time2,"%H:%M:%S")  | table Time Time2

is giving the epoch time as
Time :1503327600.000000

Time2 :1503399600.000000

when I do a comparison of Time>Time2 is returning wrong result since the epoch is Time2 is greater.
Please help.

cmerriman · ‎08-22-2017

try using |convert dur2sec(Time) as Time timeformat="%H:%M:%S" and the same for Time2 instead of strptime.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Convert

View solution in original post

cmerriman · ‎08-22-2017

try using |convert dur2sec(Time) as Time timeformat="%H:%M:%S" and the same for Time2 instead of strptime.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Convert

smuderasi · ‎08-22-2017

thanks this worked

Unable to eval correct epoch time

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation