Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

strptime calculation not working correctly with / but works with - timeformat

youngsuh
Contributor
‎12-20-2023 08:04 AM

Hi, communities,

I am doing a calculation or eval command.  

 

 

| eval dormancy=if(last_login="(never)",round((now()-strptime(created,"%Y-%m-%d"))/86400),round((now()-strptime(last_login,"%Y-%m-%d"))/86400))

 

 

The above calculate dormancy number correctly but, soon as I change the following code:

 

 

| eval dormancy=if(last_login="(never)",round((now()-strptime(created,"%Y/%m/%d"))/86400),round((now()-strptime(last_login,"%Y/%m/%d"))/86400))

 

 

from "-" to "/" strptime doesn't calculate the dormancy days.  Is this limit of strptime or am I doing something wrong?

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-20-2023 08:21 AM

It sounds like you timestamps "created" and "last_login" have the format "%Y-%m-%d" in the events.

Trying to convert them to epoch using a different format will not work. For example

dtburrows3_0-1703089049861.png


If you have a situations where your events have these field in a mixture of both formats, maybe you could adjust your eval to be something more like this?

| eval
        dormancy=if(
            last_login="(never)",
                round((now()-case(match(created, "^\d{4}\-\d{2}\-\d{2}"), strptime(created,"%Y-%m-%d"), match(created, "^\d{4}\/\d{2}\/\d{2}"), strptime(created,"%Y/%m/%d")))/86400),
                round((now()-case(match(last_login, "^\d{4}\-\d{2}\-\d{2}"), strptime(last_login,"%Y-%m-%d"), match(last_login, "^\d{4}\/\d{2}\/\d{2}"), strptime(last_login,"%Y/%m/%d")))/86400)
            )

 
This seem to extract both formats properly

dtburrows3_1-1703089297540.png

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dtburrows3
Builder
‎12-20-2023 08:21 AM

It sounds like you timestamps "created" and "last_login" have the format "%Y-%m-%d" in the events.

Trying to convert them to epoch using a different format will not work. For example

dtburrows3_0-1703089049861.png


If you have a situations where your events have these field in a mixture of both formats, maybe you could adjust your eval to be something more like this?

| eval
        dormancy=if(
            last_login="(never)",
                round((now()-case(match(created, "^\d{4}\-\d{2}\-\d{2}"), strptime(created,"%Y-%m-%d"), match(created, "^\d{4}\/\d{2}\/\d{2}"), strptime(created,"%Y/%m/%d")))/86400),
                round((now()-case(match(last_login, "^\d{4}\-\d{2}\-\d{2}"), strptime(last_login,"%Y-%m-%d"), match(last_login, "^\d{4}\/\d{2}\/\d{2}"), strptime(last_login,"%Y/%m/%d")))/86400)
            )

 
This seem to extract both formats properly

dtburrows3_1-1703089297540.png

 

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...