Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Issue with Time Conversion in JSON String

leftrightleft
Explorer
‎11-16-2021 08:34 PM

Hey 👋,

I'm trying to get the time difference between when an event was received and a string representation of the time in the event.  

Here's an example of the event:

 

{
    "action": "created",
    "alert": {
        "number": 818,
        "created_at": "2021-11-16T21:52:12Z",
        "url": "https://somewebsite.com"
    }
}

 

The issue is the conversion of the time in "alert.created_at" from string to epoch.  Once I'm able to get the epoch representation, calculating the difference from _time is easy.  

I'm working off this eval statement, but cant get it to work:

 

 | eval strtime=strptime(alert.created_at, "%Y-%m-%dT%H:%M:%SZ") | table strtime

 

Any thoughts?  Thanks!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-16-2021 09:30 PM

@leftrightleft 

 

Can you please try this?

| eval strtime=strptime('alert.created_at', "%Y-%m-%dT%H:%M:%SZ")

 

My Sample Search :

| makeresults 
| eval _raw="{\"action\": \"created\",\"alert\": {\"number\": 818,\"created_at\": \"2021-11-16T21:52:12Z\",\"url\": \"https://somewebsite.com\"}}" 
| spath 
| eval strtime=strptime('alert.created_at', "%Y-%m-%dT%H:%M:%SZ")


 KV

View solution in original post

Reply
Solved! Jump to solution
Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-16-2021 09:30 PM

@leftrightleft 

 

Can you please try this?

| eval strtime=strptime('alert.created_at', "%Y-%m-%dT%H:%M:%SZ")

 

My Sample Search :

| makeresults 
| eval _raw="{\"action\": \"created\",\"alert\": {\"number\": 818,\"created_at\": \"2021-11-16T21:52:12Z\",\"url\": \"https://somewebsite.com\"}}" 
| spath 
| eval strtime=strptime('alert.created_at', "%Y-%m-%dT%H:%M:%SZ")


 KV

Reply
Solved! Jump to solution

leftrightleft
Explorer
‎11-17-2021 07:38 AM

@kamlesh_vaghela, I wish I could give you more than just a thumbs up.  At a minimum, you deserve a high five.  Honestly, I would probably even give you a hug if I could 😄

Seriously though, thanks a lot.  I really was struggling with this.  I didn't realize the single quotes were what was needed.  I actually tried double quotes around the field name at one point, but it interpreted it as literally "alert.created_at".

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...