Splunk Search

Convert data from "%Y-%m" to epoch and again to "%Y-%m"

Accak
Path Finder

Hi guys, I am begginer which some problems with converting.
I tried to parse date in format %Y-%m like 2017-01 to epoch, but this:

eval next_month = strptime(chose_month, "%Y-%m")

does not work.

I did some workaround, can anybody tell how I can improve this?

|  eval next_month=chosen_month+"-01"  
 | eval next_month=strptime(next_month,"%Y-%m-%d") | eval next_month = strftime(relative_time(next_month , "+1mon"), "%Y-%m")|

Thanks in advance!

0 Karma
1 Solution

DalJeanis
SplunkTrust
SplunkTrust

Apparently, strptime does not operate as expected for that format. Concatenate "-01" on the end and use the method in mydate2C below.

| makeresults  
| eval mytime=_time
| eval mydate1 = strftime(_time,"%Y") 
| eval mydate1B = strptime(mydate3,"%Y")
| eval mydate2=strftime(_time,"%Y-%m")
| eval mydate2B=strptime(mydate2,"%Y-%m") 
| eval mydate2C=strptime(mydate2."-01","%Y-%m-%d")
| eval mydate3=strftime(_time,"%Y-%m-%d") 
| eval mydate3B=strptime(mydate3,"%Y-%m-%d") 
| table _time mytime mydate1 mydate1B mydate2 mydate2B mydate2C mydate3 mydate3B

in your case, that would look like -

| eval this_month_epoch = strptime(chose_month."-01", "%Y-%m-%d")
| eval next_month_epoch = relative_time(this_month_epoch, "+1mon@m")

and if you want to display the results -

| eval this_month_display = strftime(this_month_epoch,"%Y-%m-%d")
| eval next_month_display = strftime(next_month_epoch,"%Y-%m-%d")

View solution in original post

0 Karma

somesoni2
SplunkTrust
SplunkTrust

When converting string date to epoch, day and month part is mandatory, year part is optional (default to same year).
When converting string time to epoch, hour and minute part is mandatory, date part is optional (default to today).

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

True, but odd. The expected epoch output for a date/time specified at the month level would be the first moment of that month. There's no ambiguity in that as the default. The Open Spec is silent on the matter, as far as I can tell.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I would agree. If you can default the hour to 0 if no hour is specified (when giving month and day) to default to start of the day, why not do the same with month, or year for that matter.

DalJeanis
SplunkTrust
SplunkTrust

Apparently, strptime does not operate as expected for that format. Concatenate "-01" on the end and use the method in mydate2C below.

| makeresults  
| eval mytime=_time
| eval mydate1 = strftime(_time,"%Y") 
| eval mydate1B = strptime(mydate3,"%Y")
| eval mydate2=strftime(_time,"%Y-%m")
| eval mydate2B=strptime(mydate2,"%Y-%m") 
| eval mydate2C=strptime(mydate2."-01","%Y-%m-%d")
| eval mydate3=strftime(_time,"%Y-%m-%d") 
| eval mydate3B=strptime(mydate3,"%Y-%m-%d") 
| table _time mytime mydate1 mydate1B mydate2 mydate2B mydate2C mydate3 mydate3B

in your case, that would look like -

| eval this_month_epoch = strptime(chose_month."-01", "%Y-%m-%d")
| eval next_month_epoch = relative_time(this_month_epoch, "+1mon@m")

and if you want to display the results -

| eval this_month_display = strftime(this_month_epoch,"%Y-%m-%d")
| eval next_month_display = strftime(next_month_epoch,"%Y-%m-%d")
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...