I'm trying to evaluate the date string to a time format sing the strptime()
the format I have is:
Tue_Oct_25_03:57:49_IDT_2022
the strptime function looks like:
strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y")
Running the query:
index="some_index" source="some_source" | head 20 | eval d=strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y") | table d date
shows me a table with empty d values and date is showing as expected.
What am I doing wrong here?
This looks like a bug - IDT doesn't appear to be supported by strptime() - try replacing it with the equivalent
| eval d=strptime(replace(date,"IDT","+0300"),"%a_%b_%d_%H:%M:%S_%z_%Y")
Note the change to lowercase z in the timeformat
You mean the copy from screen to code sample like this ? (see below)
Do know if there Is a way to debug this further?
maybe because the field name is date it has some internal conflict or some other black magic causing this not to work? 😜
index="index_name" source="source_name" | head 20 | eval d=strptime(date,"%a_%b_%d_%H:%M:%S_%Z_%Y") | table d date
d date
Tue_Oct_25_03:57:49_IDT_2022
Tue_Oct_25_03:57:48_IDT_2022
Tue_Oct_25_03:57:48_IDT_2022
Tue_Oct_25_03:57:47_IDT_2022
Hi @dtibi,
yes this is the way to share code or samples that can be reused.
Could you share the sample logs not the results of the search?
Anyway, probably the solution is the one indicated by @ITWhisperer .
Ciao.
Giuseppe
As I said, IDT doesn't appear to be supported by Splunk's strptime() function.
This looks like a bug - IDT doesn't appear to be supported by strptime() - try replacing it with the equivalent
| eval d=strptime(replace(date,"IDT","+0300"),"%a_%b_%d_%H:%M:%S_%z_%Y")
Note the change to lowercase z in the timeformat
Hi @dtibi ,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated by all the contributors 😉
Hi @gcusello
Thanks for the reply.
I'm pretty sure.
This issue waisted a lot of my time. not sure how to handle.
Would very much appreciate any help.
Hi @dtibi ,
could you share some sample of your logs?
please use the Insert/Edit code sample button and not a screenshot!
Ciao.
Giuseppe