Solved: Re: strptime and mktime not generating any values

thyrfa · ‎07-25-2016

I have a CSV with a date field that I want to convert to a timefield so that I can timechart it. When I run

 ...| rename "field I want" as time | eval time = case(substr(time, 1, 2) LIKE "%/", "0"+time, 1=1, time) |  convert timeformat="%m/%e/%Y  %I:%M %p" mktime(time) |

time ends up being always null. When I do

...| rename "field I want" as time | eval time = case(substr(time, 1, 2) LIKE "%/", "0"+time, 1=1, time) | eval ntime=strptime(time, "%m/%e/%Y  %I:%M %p") |

ntime doesn't even get created as a field. I'm 100% sure that the formatting is correct (though theres always a chance for errors) and I've tried everything I can think of. Why does neither function evaluate? An example of one of the strings I'm trying to convert is "1/1/2013 12:00 AM".

somesoni2 · ‎07-25-2016

I don't think you need that case statement at all. Following direct conversion works (run anywhere sample)

| gentimes start=-1 | eval time="1/1/2013 12:00 AM" | table time| eval ntime=strptime(time,"%m/%d/%Y %H:%M %p")

View solution in original post

somesoni2 · ‎07-25-2016

I don't think you need that case statement at all. Following direct conversion works (run anywhere sample)

| gentimes start=-1 | eval time="1/1/2013 12:00 AM" | table time| eval ntime=strptime(time,"%m/%d/%Y %H:%M %p")

thyrfa · ‎07-25-2016

Woah that worked! The issue was me putting the table after evaluating ntime. Why does that matter?

somesoni2 · ‎07-25-2016

It won't. Probably the timeformat you used was the issue, along with additional formatting you were trying.

strptime and mktime not generating any values

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!