Getting eval error "Typechecking failed, '-' only ...

ITCrowd · ‎12-01-2014

(index=unix) (sourcetype="web") | eval Time.atFirewall=DateOutbound-DateInbound | eval Time.atDataCentre=strptime(index_time,"yyyy-MM-dd'T'HH:mm:ss.SSSZ") | eval Time.SendGrid=Time.atDataCentre-DateInbound | table index_time DateInbound DateOutbound Time.atFirewall Time.atDataCentre

I get this in search:
Error in 'eval' command: Typechecking failed. '-' only takes numbers.

DateOutbound & DateInbound are Epoch Time fields, and I wanted to convert index time to Epoch to do the maths. It seems that Time.atDataCentre is not assigned an Epoch time value, it's not a number, hence the Error message from Splunk. I am following the documentation on strptime, so puzzled.

Anyone ever convert long date / Zulu date to Epoch time?

richgalloway · ‎12-01-2014

Your strptime() format string is incorrect. You probably want something like strptime(index_time,"%Y-%m-%dT%H:%M:%S.%3NZ"). See aholzer's comment for a link to the docs.

---
If this reply helps you, Karma would be appreciated.

aholzer · ‎12-01-2014

A few of things:

is "index_time" a field in your results? or are you referring to the Splunk index time, which is referred to as "_indextime"?
If you ARE referring to _indextime, then it is unnecessary to try to convert it to Epoch time as it already comes in Epoch time.
When using strptime you must conform to using this specific set of time/date formats to define the format of the conversion.

Hope this helps

Getting eval error "Typechecking failed, '-' only takes numbers." How to convert Zulu time format to Epoch using strptime?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life