Solved: How can I change human to epoch time

nagarjuna280 · ‎07-29-2017

I got the same result for Both AM AND PM,

I changed AM to PM --epoch results is 1418037694.000000 and is same for PM

acharlieh · ‎07-30-2017

Because %H is the hour on a 24-hour clock... you need to use %I for the hour on a 12-hour clock. See the docs: https://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Commontimeformatvariables

Also an updated search to show the difference:

| makeresults count=2 | streamstats count | eval YourDate=if(count=1,"3:21:34 AM 12/8/2014","3:21:34 PM 12/8/2014") | table YourDate 
| eval epoch1h=strptime(YourDate,"%H:%M:%S %p %m/%d/%Y") | convert timeformat="%H:%M:%S %p %m/%d/%Y" mktime(YourDate) as epoch2h 
| eval epoch1i=strptime(YourDate,"%I:%M:%S %p %m/%d/%Y") |  convert timeformat="%U:%M:%S %p %m/%d/%Y" mktime(YourDate) as epoch2i

View solution in original post

acharlieh · ‎07-30-2017

Because %H is the hour on a 24-hour clock... you need to use %I for the hour on a 12-hour clock. See the docs: https://docs.splunk.com/Documentation/Splunk/6.6.2/SearchReference/Commontimeformatvariables

Also an updated search to show the difference:

| makeresults count=2 | streamstats count | eval YourDate=if(count=1,"3:21:34 AM 12/8/2014","3:21:34 PM 12/8/2014") | table YourDate 
| eval epoch1h=strptime(YourDate,"%H:%M:%S %p %m/%d/%Y") | convert timeformat="%H:%M:%S %p %m/%d/%Y" mktime(YourDate) as epoch2h 
| eval epoch1i=strptime(YourDate,"%I:%M:%S %p %m/%d/%Y") |  convert timeformat="%U:%M:%S %p %m/%d/%Y" mktime(YourDate) as epoch2i

How can I change human to epoch time

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...