Splunk Search

Unable to eval correct epoch time

Explorer
host=*****|  eval Time="17:00:00"|eval Time2="13:00:00" |eval Time=strptime(Time,"%H:%M:%S")  |eval Time2=strptime(Time2,"%H:%M:%S")  | table Time Time2

is giving the epoch time as
Time :1503327600.000000

Time2 :1503399600.000000

when I do a comparison of Time>Time2 is returning wrong result since the epoch is Time2 is greater.
Please help.

0 Karma
1 Solution

Super Champion

try using |convert dur2sec(Time) as Time timeformat="%H:%M:%S" and the same for Time2 instead of strptime.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Convert

View solution in original post

Super Champion

try using |convert dur2sec(Time) as Time timeformat="%H:%M:%S" and the same for Time2 instead of strptime.
https://docs.splunk.com/Documentation/SplunkCloud/6.6.1/SearchReference/Convert

View solution in original post

Explorer

thanks this worked

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!