- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Formatting String to Time returns nothing
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is my query:
"TSStart"="2013-10-14T18:35:03.487" | eval MyTime=strptime(TSStart,"%Y-%m-%dT%T")
My Time Format for start time is in the format as above: 2013-10-14T18:35:03.487
The goal of this is to show the datetime in a format that is more readable, I want to first attempt to parse it into a timestamp format.
This is not the same field I am using for my Timestamp value as there is also a TSEnd within the data that I will need to format.
My query is not coming back with anything for "MyTime" and not throwing any errors in the logs.
Is my date format string incorrect? I have tried several variations and cannot get this to work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I believe I have figured out this issue. I am using an XML type of Structure and the fields are auto mapped via the KV_MODE = xml. The Field is Actually Event.TSStart.
I did a rename on the field (| rename Event.TSStart as TSStart) and it started working.
I attempted first to surround Event.TSStart with Quotations, but it litterally put "Event.TSStart" in the formula.
I am not sure if this is a bug or intended.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I believe I have figured out this issue. I am using an XML type of Structure and the fields are auto mapped via the KV_MODE = xml. The Field is Actually Event.TSStart.
I did a rename on the field (| rename Event.TSStart as TSStart) and it started working.
I attempted first to surround Event.TSStart with Quotations, but it litterally put "Event.TSStart" in the formula.
I am not sure if this is a bug or intended.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Basically if your field has a . in it, the formulas fail, even trim
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried your search and its working for me. I see you want to get rid of milliseconds (otherwise the format is same). Can you try following: "TSStart"="2013-10-14T18:35:03.487" | eval MyTime=strptime(mvindex(split(TSStart,"."),0),"%Y-%m-%dT%T")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That works for me.
| eval TSStart="2013-10-14T18:35:03.487" | eval MyTime=strptime(TSStart,"%Y-%m-%dT%T") | eval MyTime2=strptime(TSStart,"%Y-%m-%dT%H:%M:%S.%3N") | table TSStart, MyTime, MyTime2
TSStart MyTime MyTime2
2013-10-14T18:35:03.487 1381790103.000000 1381790103.487000
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah I've tried
strptime(TSStart,"%Y-%m-%dT%T.%3N") and seperating hour, minute, second as well.
I just tried the one you have there and it did not work either
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried including the milliseconds?
"TSStart"="2013-10-14T18:35:03.487" | eval MyTime=strptime(TSStart,"%Y-%m-%dT%T.%f")
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
