I am using imported CSV data to search throughout Splunk and the CSV file defines the column TIME and only includes the year and month in the format YYYY-MM. I am attempting to convert that field into a UTC UNIX timestamp using the strptime() function but have not had any success.
This is an image of the extracted fields with a basic search:
These were the searches I used when attempting to use the strptime() function. All of the examples did not work.
index="financial_data" source="consumer_confidence_index.csv" LOCATION=USA | eval TIME=strptime(TIME, "%Y-%m")
index="financial_data" source="consumer_confidence_index.csv" LOCATION=USA | eval TIME=TIME."-00:00:00:00", TIME=strptime(TIME, "%Y-%m-%d:%H:%M:%S")
index="financial_data" source="consumer_confidence_index.csv" LOCATION=USA | eval my_time=strptime('TIME', "%Y-%m")
index="financial_data" source="consumer_confidence_index.csv" LOCATION=USA | eval my_time=strptime(YEAR.MONTH, "%Y-%m")
Additionally, I also tried using the convert command and that didn't work either. Both of the examples below did not work.
index="financial_data" source="consumer_confidence_index.csv" LOCATION=USA | convert timeformat="%Y-%m" mktime(TIME) AS NEW_TIME
index="financial_data" source="consumer_confidence_index.csv" LOCATION=USA | eval TIME=TIME."-00:00:00:00" | convert timeformat="%Y-%m-%d:%H:%M:%S" mktime(TIME) AS NEW_TIME
Any advice is appreciated, thank you.
... View more