Solved: Have problem with my timestamp format

jcvytla · ‎04-04-2018

I'm trying to do forecasting on hourly data. I'm getting error , even though I change my time format. need help in converting "3/5/2018 0:49" into unix time stamp.

adonio · ‎04-04-2018

try this:

| makeresults count=1 | eval time = "3/5/2018 0:49"
| eval in_epoch = strptime(time, "%m/%d/%Y %H:%M")

hope it helps

View solution in original post

lsnow_splunk · ‎04-04-2018

Hi, @jcvytla-

Check out the "convert" command. The syntax for your case would look something like

convert timeformat=%m/%d/%Y %H:%M mktime(existing_time_field) AS epoch_time

but double check the time format if it doesn't seem to be working for you - the lack of leading zeroes in your timestamp might mean that you have to tweak that.

adonio · ‎04-04-2018

try this:

| makeresults count=1 | eval time = "3/5/2018 0:49"
| eval in_epoch = strptime(time, "%m/%d/%Y %H:%M")

hope it helps

jcvytla · ‎04-04-2018

Could you please help me with time chart for the same time format?

Thanks in advance

adonio · ‎04-04-2018

for timechart youll need to convert your time to the field _time
same thing, and now you can | timechart ... as foo | predict foo

Have problem with my timestamp format

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?