I have a time in the format of:
Dec 23, 2015 11:45:26 BRST
I'm trying to convert this to epoch time and later to a simple date format (dd/mm/year). Can anyone lend a hand?
Thanks!
Assuming you have a field called my_time
, try this:
| rex field=my_time mode=sed "s/ BRST$/ -0200/"
| eval my_time_epoch = strptime(my_time, "%b %d, %Y %H:%M:%S %Z")
| eval _time = my_time_epoch
We need to modify the timezone because Splunk does not recognize BRST
.
Keep an eye on your time zone as it could be a problem.
For instance, the following works (using UTC - 3)
| eval my_time = "Dec 23, 2015 11:38:00 -0300"
| eval my_time_epoch = strptime(my_time, "%b %d, %Y %H:%M:%S %z")
| eval _time = my_time_epoch
The following doesn't:
| eval my_time = "Dec 23, 2015 11:38:00 BRST"
| eval my_time_epoch = strptime(my_time, "%b %d, %Y %H:%M:%S %Z")
| eval _time = my_time_epoch
Try this,
|stats c | eval date="Dec 23, 2015 11:45:26 BRST" | eval epoch=strptime(date, "%b %d,%Y %H:%M:%S" ) | convert ctime(epoch) as conv
Read more on date variables in the below link,
http://docs.splunk.com/Documentation/Splunk/6.1.2/SearchReference/Commontimeformatvariables
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Convert
Thanks,
V
Hi bruno_eduardo, I belive that the convert command will work for you in this case http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/Convert
| convert mktime(timefield)
As the convert documentation hints, the strftime and strptime eval functions will help as well. http://docs.splunk.com/Documentation/Splunk/6.4.0/SearchReference/CommonEvalFunctions
Please let me know if this answers your question!