Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Why is strptime() eval not working?

dtibi
Explorer
‎05-17-2023 02:14 AM

I'm trying to evaluate the date string to a time format sing the strptime()

the format I have is:  
Tue_Oct_25_03:57:49_IDT_2022

the strptime function looks like: 
strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y")


Running the query:
index="some_index" source="some_source" | head 20 | eval d=strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y") | table d date

shows me a table with empty d values and date is showing as expected.
What am I doing wrong here?

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 04:28 AM

This looks like a bug - IDT doesn't appear to be supported by strptime() - try replacing it with the equivalent

| eval d=strptime(replace(date,"IDT","+0300"),"%a_%b_%d_%H:%M:%S_%z_%Y")

Note the change to lowercase z in the timeformat

View solution in original post

Reply
Solved! Jump to solution

dtibi
Explorer
‎05-17-2023 05:24 AM

You mean the copy from screen to code sample like this ? (see below) 
Do know if there Is a way to debug this further?
maybe because the field name is date it has some internal conflict or some other black magic causing this not to work? 😜

index="index_name" source="source_name" | head 20 | eval d=strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y") | table d date


d	date
 	Tue_Oct_25_03:57:49_IDT_2022
 	Tue_Oct_25_03:57:48_IDT_2022
 	Tue_Oct_25_03:57:48_IDT_2022
 	Tue_Oct_25_03:57:47_IDT_2022

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 05:55 AM

Hi @dtibi,

yes this is the way to share code or samples that can be reused.

Could you share the sample logs not the results of the search?

Anyway, probably the solution is the one indicated by @ITWhisperer .

Ciao.

Giuseppe

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 05:40 AM

As I said, IDT doesn't appear to be supported by Splunk's strptime() function.

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-17-2023 04:28 AM

This looks like a bug - IDT doesn't appear to be supported by strptime() - try replacing it with the equivalent

| eval d=strptime(replace(date,"IDT","+0300"),"%a_%b_%d_%H:%M:%S_%z_%Y")

Note the change to lowercase z in the timeformat

Reply
Solved! Jump to solution

dtibi
Explorer
‎05-17-2023 05:42 AM

Thank you!!!! @ITWhisperer 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 05:57 AM

Hi @dtibi ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

Reply
Solved! Jump to solution

dtibi
Explorer
‎05-17-2023 03:20 AM

Hi @gcusello 
Thanks for the reply.
I'm pretty sure.
This issue waisted a lot of my time. not sure how to handle. 
Would very much appreciate any help.

Screenshot 2023-05-17 131725.jpg

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 03:25 AM

Hi @dtibi ,

could you share some sample of your logs?

please use the Insert/Edit code sample button and not a screenshot!

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎05-17-2023 02:28 AM

Hi @dtibi,

the strptime funtion is correct, are you sure about the date values?

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...