Solved: strptime conversion difficulty from a string

mdurdel · ‎11-11-2019

Hello,

I am having difficulty getting the strptime function to properly convert my date string into a usable and accurate time stamp. Here is an example of the string and the strptime function I have tried. Can you help with the proper conversion please?

string=05-NOV-19 10.53.49.287000 AM AMERICA/CHICAGO

This did not work: | eval first_res_time = strptime(previous_resolution_time, "%d/%B/%y %H/%M/%S/%N")

Thank you,

-MD

mayurr98 · ‎11-11-2019

Try this:

| makeresults 
| eval string="05-NOV-19 10.53.49.287000 AM AMERICA/CHICAGO" 
| eval first_res_time=strptime(string, "%d-%b-%y %I.%M.%S.%6N %p")

For timezone, you may need to make changes in the props.conf:

TZ=America/Chicago

Refer https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
Splunk docs https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Applytimezoneoffsetstotimestamps

View solution in original post

mayurr98 · ‎11-11-2019

Try this:

| makeresults 
| eval string="05-NOV-19 10.53.49.287000 AM AMERICA/CHICAGO" 
| eval first_res_time=strptime(string, "%d-%b-%y %I.%M.%S.%6N %p")

For timezone, you may need to make changes in the props.conf:

TZ=America/Chicago

Refer https://en.wikipedia.org/wiki/List_of_tz_database_time_zones
Splunk docs https://docs.splunk.com/Documentation/Splunk/8.0.0/Data/Applytimezoneoffsetstotimestamps

mdurdel · ‎11-11-2019

Thank you @mayurr98

richgalloway · ‎11-11-2019

That strptime format string doesn't match the data. Try %-%b-%y %h.%M.%S.%6N %p %Z. I'm not sure Splunk will recognize "AMERICA/CHICAGO" as time zone identifier, though.

---
If this reply helps you, Karma would be appreciated.

strptime conversion difficulty from a string

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor