Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is strptime() eval not working?

dtibi
Explorer
‎05-17-2023 02:14 AM

I'm trying to evaluate the date string to a time format sing the strptime()

the format I have is:  
Tue_Oct_25_03:57:49_IDT_2022

the strptime function looks like: 
strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y")


Running the query:
index="some_index" source="some_source" | head 20 | eval d=strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y") | table d date

shows me a table with empty d values and date is showing as expected.
What am I doing wrong here?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 04:28 AM

This looks like a bug - IDT doesn't appear to be supported by strptime() - try replacing it with the equivalent

| eval d=strptime(replace(date,"IDT","+0300"),"%a_%b_%d_%H:%M:%S_%z_%Y")

Note the change to lowercase z in the timeformat

View solution in original post

Reply
Solved! Jump to solution

dtibi
Explorer
‎05-17-2023 05:24 AM

You mean the copy from screen to code sample like this ? (see below) 
Do know if there Is a way to debug this further?
maybe because the field name is date it has some internal conflict or some other black magic causing this not to work? 😜

index="index_name" source="source_name" | head 20 | eval d=strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y") | table d date


d	date
 	Tue_Oct_25_03:57:49_IDT_2022
 	Tue_Oct_25_03:57:48_IDT_2022
 	Tue_Oct_25_03:57:48_IDT_2022
 	Tue_Oct_25_03:57:47_IDT_2022

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 05:55 AM

Hi @dtibi,

yes this is the way to share code or samples that can be reused.

Could you share the sample logs not the results of the search?

Anyway, probably the solution is the one indicated by @ITWhisperer .

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 05:40 AM

As I said, IDT doesn't appear to be supported by Splunk's strptime() function.

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 04:28 AM

This looks like a bug - IDT doesn't appear to be supported by strptime() - try replacing it with the equivalent

| eval d=strptime(replace(date,"IDT","+0300"),"%a_%b_%d_%H:%M:%S_%z_%Y")

Note the change to lowercase z in the timeformat

Reply
Solved! Jump to solution

dtibi
Explorer
‎05-17-2023 05:42 AM

Thank you!!!! @ITWhisperer 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 05:57 AM

Hi @dtibi ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

dtibi
Explorer
‎05-17-2023 03:20 AM

Hi @gcusello 
Thanks for the reply.
I'm pretty sure.
This issue waisted a lot of my time. not sure how to handle. 
Would very much appreciate any help.

Screenshot 2023-05-17 131725.jpg

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 03:25 AM

Hi @dtibi ,

could you share some sample of your logs?

please use the Insert/Edit code sample button and not a screenshot!

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 02:28 AM

Hi @dtibi,

the strptime funtion is correct, are you sure about the date values?

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...