Splunk Search

Can splunk convert a date to epoch time if the year is 1970

LWilliamson1
Explorer

When running the search:

| eval startTime="1970-01-01"| eval dateadded_epoch = strptime(startTime, "%Y-%m-%d")| table Jobname dateadded_epoch

alt text

I get no results, but if the year is changed to 1971 I get the expected output.

alt text

1 Solution

Richfez
SplunkTrust
SplunkTrust

I think you may have found a bug. I can reproduce proper results with any date in 1971 or newer, but none in 1970.

Jan 01, 1971 is 31557600 as you noticed, so you'd think that Dec 31st 1970 would be 31557600-86400, an answer which escapes my ability to run a calculator app right now, but which is decidedly greater than 0.

View solution in original post

Richfez
SplunkTrust
SplunkTrust

I think you may have found a bug. I can reproduce proper results with any date in 1971 or newer, but none in 1970.

Jan 01, 1971 is 31557600 as you noticed, so you'd think that Dec 31st 1970 would be 31557600-86400, an answer which escapes my ability to run a calculator app right now, but which is decidedly greater than 0.

Richfez
SplunkTrust
SplunkTrust

Even better:

index=* | eval startTime=31557600 
| eval a_dateadded_realdate = strftime(startTime, "%Y-%m-%d %H:%M:%S") 
| eval a_dateadded_epoch = strptime(a_dateadded_realdate, "%Y-%m-%d %H:%M:%S") 
| table startTime a_dateadded_epoch a_dateadded_realdate

If you run that, you'll get valid dates in both columns.

If you subtract one and use 31557599, the strftime works but the strptime won't convert it back.

0 Karma

bosburn_splunk
Splunk Employee
Splunk Employee

This is known, and not something that will be fixed.

Brian

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...