_time
2016-03-02 07:00:13.405
Above _time is the data format in the logs. I need to find difference between a few dates, so I'm trying to convert to epoch
Used the following search, but when I table the output, I don't get the converted time:
| eval Processedtime=strptime(_time,"%Y-%m-%d %H:%M:%S") | table Processedtime
Appreciate any suggestions.
Before you jump on doing all the calculation and conversions, the _time is a special field in Splunk whose actual value is already in epoch format but displayed in human readable format when show in Splunk UI. Any operation done with value of _time is already in epoch. If you want to see the epoch value of it, just create a new field with same value as _time
your base search | eval Processed_time=_time | table Processed_Time
Before you jump on doing all the calculation and conversions, the _time is a special field in Splunk whose actual value is already in epoch format but displayed in human readable format when show in Splunk UI. Any operation done with value of _time is already in epoch. If you want to see the epoch value of it, just create a new field with same value as _time
your base search | eval Processed_time=_time | table Processed_Time
Noted, Thanks for the answer
thanks this worked.
Before going through the pin of converting epoch, maybe the "delta" command will do what you are looking to achieve. Delta will compute the difference between nearby results using the value of a specific numeric field. When used on the _time field it returns the difference in seconds.
hi,
You will have to use "%s" ... you can refer here for details.
Eg:
| eval Processedtime=strptime(_time,"%s") | table _time,Processedtime