Splunk Search

How can I convert my time format to epoch time?

m7787580
Explorer

Format i have in Splunk:- Duration as 9h:42m:32s

I tried to use below search but it didn't worked.

eval "Duration"=strptime("Duration", "%Hh:%Mm:%Ss")|

Thanks in Advance

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Do you want to convert your duration to epoch time or convert it to number of seconds? If it's later, try like this

your current search |  eval Duration=replace(Duration,"[hms]","")  | convert dur2sec(Duration) as Duration

OR

your current search |  eval Duration=strptime(Duration,"%Hh:%Mm:%Ss")-relative_time(now(),"@d") 
0 Karma

Richfez
SplunkTrust
SplunkTrust

You are nearly right - I think your only problem is that you are quoting your field inside the strptime - when you quote it Splunk treats is as a string with a value of "Duration" and tries to extract Hours, Minutes and Seconds from the word "Duration", not the field.

Try

eval "Duration"=strptime(Duration, "%Hh:%Mm:%Ss")

If your "Duration" field ever has spaces, you can use single quotes to quote it and it'll work. See all three (No quotes, single quotes and regular quotes) in the below "run anywhere" example.

| makeresults 
| eval dur1="9h:42m:32s" 
| eval "edur1"=strptime("dur1", "%Hh:%Mm:%Ss")
| eval "edur2"=strptime('dur1', "%Hh:%Mm:%Ss")
| eval "edur3"=strptime(dur1, "%Hh:%Mm:%Ss")

Notice it doesn't return "edur1".

 _time                      dur1           edur2                 edur3  
    2017-02-25 07:01:47     9h:42m:32s  1488037352.000000   1488037352.000000 

rjthibod
Champion

That value is not compatible with converting to epoch time because Splunk doesn't know when the time starts. The strptime function expects you are sending it some form of wall clock time, not a duration.

So, what is the start time, and what output would you really like to see: a clock time, or the number of seconds that duration represents (e.g., 34,952 seconds)?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...