Splunk Search

Issue with strptime

singhh4
Path Finder

Hey guys,

So I've used strptime before but for some reason this isn't working properly. I have a column with different types of data like below:

Column |Value                                                                                                                    ------------------                                                                                                                   02/2016 | 100                                                                                                                                  03/2016 | 200                                                                                                                       04/2016 | 150                                                                                                                                                                           05/2016 | 450                                                                                                                     high    | 12                                                                                                                          medium  | 30                                                                                                                     low     | 34

I have a column that separates the dates from the rest. so with that me search s simple:

index="servers" filter="dates" | eval myDate = strptime(Column, "%m/%Y")|table myDate 

"filter" would be the field thats used separate the date from other data. This search gives me nothing.
What would the problem and how would i get it to work?

Thanks in advanced!

0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

The issue here is that strptime need both date and month to parse a string formated date to epoch. Year is optional. Your data doesn't have date part, hence strptime fails.

Option: add date part explicitly (when using month you anyways refer to first date of the month).

 index="servers" filter="dates" | eval myDate = strptime("01/".Columns, "%d/%m/%Y")|table myDate 

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

The issue here is that strptime need both date and month to parse a string formated date to epoch. Year is optional. Your data doesn't have date part, hence strptime fails.

Option: add date part explicitly (when using month you anyways refer to first date of the month).

 index="servers" filter="dates" | eval myDate = strptime("01/".Columns, "%d/%m/%Y")|table myDate 

inventsekar
Ultra Champion

+1, Somesoni Sir.

One question -
///Option: add date part explicitly (when using month you anyways refer to first date of the month).///
why refer to first date, when using month?!?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Take the reference of the timechart with span=1mon. All the _time value will be set to "01/Month/Year 00:00:00 AM". While bucketing Splunk assigns lower value to the bucket, for month it'll be first day.

0 Karma

singhh4
Path Finder

Worked! Thank you for the great explanation!

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The screen shot has a "Column" field, but the SPL has "Columns". Parsing a column that doesn't exist will yield nothing.

---
If this reply helps you, Karma would be appreciated.
0 Karma

singhh4
Path Finder

Just an error when asking question. Fixed but the issue is still the same. Sorry about that

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...