Splunk Search

Why am I unable to convert _time to epoch with my search?

Explorer
_time
2016-03-02 07:00:13.405

Above _time is the data format in the logs. I need to find difference between a few dates, so I'm trying to convert to epoch
Used the following search, but when I table the output, I don't get the converted time:

| eval Processedtime=strptime(_time,"%Y-%m-%d %H:%M:%S") | table Processedtime

Appreciate any suggestions.

1 Solution

Revered Legend

Before you jump on doing all the calculation and conversions, the _time is a special field in Splunk whose actual value is already in epoch format but displayed in human readable format when show in Splunk UI. Any operation done with value of _time is already in epoch. If you want to see the epoch value of it, just create a new field with same value as _time

your base search | eval Processed_time=_time | table Processed_Time

View solution in original post

Revered Legend

Before you jump on doing all the calculation and conversions, the _time is a special field in Splunk whose actual value is already in epoch format but displayed in human readable format when show in Splunk UI. Any operation done with value of _time is already in epoch. If you want to see the epoch value of it, just create a new field with same value as _time

your base search | eval Processed_time=_time | table Processed_Time

View solution in original post

Noted, Thanks for the answer

0 Karma

Explorer

thanks this worked.

0 Karma

Splunk Employee
Splunk Employee

Before going through the pin of converting epoch, maybe the "delta" command will do what you are looking to achieve. Delta will compute the difference between nearby results using the value of a specific numeric field. When used on the _time field it returns the difference in seconds.

0 Karma

Contributor

hi,
You will have to use "%s" ... you can refer here for details.
Eg:
| eval Processedtime=strptime(_time,"%s") | table _time,Processedtime

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!