Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

strptime calculation not working correctly with / but works with - timeformat

youngsuh
Contributor
‎12-20-2023 08:04 AM

Hi, communities,

I am doing a calculation or eval command.  

 

 

| eval dormancy=if(last_login="(never)",round((now()-strptime(created,"%Y-%m-%d"))/86400),round((now()-strptime(last_login,"%Y-%m-%d"))/86400))

 

 

The above calculate dormancy number correctly but, soon as I change the following code:

 

 

| eval dormancy=if(last_login="(never)",round((now()-strptime(created,"%Y/%m/%d"))/86400),round((now()-strptime(last_login,"%Y/%m/%d"))/86400))

 

 

from "-" to "/" strptime doesn't calculate the dormancy days.  Is this limit of strptime or am I doing something wrong?

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-20-2023 08:21 AM

It sounds like you timestamps "created" and "last_login" have the format "%Y-%m-%d" in the events.

Trying to convert them to epoch using a different format will not work. For example

dtburrows3_0-1703089049861.png


If you have a situations where your events have these field in a mixture of both formats, maybe you could adjust your eval to be something more like this?

| eval
        dormancy=if(
            last_login="(never)",
                round((now()-case(match(created, "^\d{4}\-\d{2}\-\d{2}"), strptime(created,"%Y-%m-%d"), match(created, "^\d{4}\/\d{2}\/\d{2}"), strptime(created,"%Y/%m/%d")))/86400),
                round((now()-case(match(last_login, "^\d{4}\-\d{2}\-\d{2}"), strptime(last_login,"%Y-%m-%d"), match(last_login, "^\d{4}\/\d{2}\/\d{2}"), strptime(last_login,"%Y/%m/%d")))/86400)
            )

 
This seem to extract both formats properly

dtburrows3_1-1703089297540.png

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-20-2023 08:21 AM

It sounds like you timestamps "created" and "last_login" have the format "%Y-%m-%d" in the events.

Trying to convert them to epoch using a different format will not work. For example

dtburrows3_0-1703089049861.png


If you have a situations where your events have these field in a mixture of both formats, maybe you could adjust your eval to be something more like this?

| eval
        dormancy=if(
            last_login="(never)",
                round((now()-case(match(created, "^\d{4}\-\d{2}\-\d{2}"), strptime(created,"%Y-%m-%d"), match(created, "^\d{4}\/\d{2}\/\d{2}"), strptime(created,"%Y/%m/%d")))/86400),
                round((now()-case(match(last_login, "^\d{4}\-\d{2}\-\d{2}"), strptime(last_login,"%Y-%m-%d"), match(last_login, "^\d{4}\/\d{2}\/\d{2}"), strptime(last_login,"%Y/%m/%d")))/86400)
            )

 
This seem to extract both formats properly

dtburrows3_1-1703089297540.png

 

Reply
Get Updates on the Splunk Community!

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Stay Connected: Your Guide to April Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...
Top