Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

mktime/strptime error (not working as documented)

npt05001
Engager
‎07-15-2010 01:37 PM

I have a field in some events that contains a time as a string. The times are in the format "2010-07-15-13", which the fields representing "%Y-%m-%d-%H" (year,month,day,24-hour). I'm trying to convert this string to a time, and I've tried several functions-

| eval _time=strptime(hour,"%Y-%m-%d-%H")

| convert timeformat="%Y-%m-%d-%H" mktime(hour) as _time

However, neither of these functions gives me the correct results. I do get a result- I read that if the provided format string doesn't match the string to parse, you get no result- but the result is wrong, having chopped off the hour portion of the string. Example-

2010-07-08-10 -> 7/8/10 12:00:00.000 AM

2010-07-08-11 -> 7/8/10 12:00:00.000 AM

This is not the result I'm looking for as I need the hour data to be in my end result.

Does anyone know why these functions are not working as expected?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-15-2010 01:55 PM

How about just appending the minutes so it is parseable as a time stamp? 

| eval _time=strptime(_time+"-00","%Y-%m-%d-%H-%M")

View solution in original post

Reply
Solved! Jump to solution
Solution

gkanapathy
Splunk Employee
Splunk Employee
‎07-15-2010 01:55 PM

How about just appending the minutes so it is parseable as a time stamp? 

| eval _time=strptime(_time+"-00","%Y-%m-%d-%H-%M")
Reply
Solved! Jump to solution

npt05001
Engager
‎07-15-2010 02:13 PM

That works! Thanks a lot. I wonder if I should submit a bug report, because I shouldn't really have to do this, and it still doesn't work with the convert command, but at least I have my desired results.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...