Re: Why does strptime not parse timestamps to nano...

andrewtrobec · ‎10-26-2023

Splunk Enterprise 9.0.5.1

Hello!

I have to calculate the delta between two timestamps that have nanosecond granularity. According to Splunk documentation nanoseconds are supported with either %9N or %9Q: https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Commontimeformatvariables

When I try to parse a timestamp with nanosecond granularity, however, it stops at microseconds and calculates the delta in microseconds as well. My expectation is that Splunk should maintain and manage nanoseconds.

Here is a run anywhere:

| makeresults
| eval start = "2023-10-24T18:09:24.900883123"
| eval end = "2023-10-24T18:09:24.902185512"
| eval start_epoch = strptime(start,"%Y-%m-%dT%H:%M:%S.%9N")
| eval end_epoch = strptime(end,"%Y-%m-%dT%H:%M:%S.%9N")
| table start end start* end*
| eval delta = end_epoch - start_epoch
| eval delta_round = round(end_epoch - start_epoch,9)

Is this a defect or am I doing something wrong?

Thank you!

Andrew

ITWhisperer · ‎10-26-2023

Looks like a defect to me

Why does strptime not parse timestamps to nanoseconds (%9N/%9Q)?

eval

other

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?