I have a field in some events that contains a time as a string. The times are in the format "2010-07-15-13", which the fields representing "%Y-%m-%d-%H" (year,month,day,24-hour). I'm trying to convert this string to a time, and I've tried several functions-
| eval _time=strptime(hour,"%Y-%m-%d-%H")
| convert timeformat="%Y-%m-%d-%H" mktime(hour) as _time
However, neither of these functions gives me the correct results. I do get a result- I read that if the provided format string doesn't match the string to parse, you get no result- but the result is wrong, having chopped off the hour portion of the string. Example-
2010-07-08-10 -> 7/8/10 12:00:00.000 AM
2010-07-08-11 -> 7/8/10 12:00:00.000 AM
This is not the result I'm looking for as I need the hour data to be in my end result.
Does anyone know why these functions are not working as expected?
How about just appending the minutes so it is parseable as a time stamp?
| eval _time=strptime(_time+"-00","%Y-%m-%d-%H-%M")
How about just appending the minutes so it is parseable as a time stamp?
| eval _time=strptime(_time+"-00","%Y-%m-%d-%H-%M")
That works! Thanks a lot. I wonder if I should submit a bug report, because I shouldn't really have to do this, and it still doesn't work with the convert command, but at least I have my desired results.