Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to convert a lookup date field to epoch

theouhuios
Motivator
‎08-26-2013 05:39 PM

Hello

I have a lookup table which has a Datetime field like 1/20/2013 or 4/29/2013. Now I need to convert it to epoch time to compare it to the normal time when the search ran. We can take the H:M:S as 00:00:00.

Any idea on what can be done?

Thanks

Tags (1)
0 Karma
Reply

rturk
Builder
‎08-26-2013 05:53 PM

Hi Theouhuios,

What you will need to do is specify in the lookup definition (in transforms.conf) that one of the fields is in fact a time value. There shouldn't be any need to convert it to epoch seconds.

Example:

[eventLookup]
filename = events.csv
time_field = Datetime
time_format = %m/%d/%Y

Without the hours, minutes, and seconds being defined it should default to 00:00:00.

Hope this helps 🙂

Ref: http://docs.splunk.com/Documentation/Splunk/5.0.4/Knowledge/Addfieldsfromexternaldatasources#Set_up_...

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...