- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Conversion to UNIX time
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to convert my default _time field to UNIX/Epoch time and have it in a different field. This is how the Time field looks now.
2/7/18
3:35:10.531 AM
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_time is already in epoch format...
so try:
...|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")
but if time is in different field then try this run anywhere search:
| makeresults |eval time="2/7/18 3:35:10.531 AM"|eval Time=strptime(time,"%m/%d/%y %I:%M:%S.%3N %p")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hey @zacksoft
You can use strftime(X,Y) to convert in a specified time format in Y and strptime(X,Y) to convert the same in epoch time.
have a look at this doc
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/DateandTimeFunctions#strftime.28X....
For time format, you can have a look at this doc
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables
Try this run anywhere search for more:
| gentimes start=-1 end=20
| eval Endtime=strftime(endtime,"%d/%m/%Y %H:%M:%S"),Starttime=strftime(starttime,"%d/%m/%Y %H:%M:%S"),Starthuman=strptime(starthuman,"%a %b %d %H:%M:%S %Y"),Endhuman=strptime(endhuman,"%a %b %d %H:%M:%S %Y")
| table starttime Starttime endtime Endtime starthuman Starthuman endhuman Endhuman
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
_time is already in epoch format...
so try:
...|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")
but if time is in different field then try this run anywhere search:
| makeresults |eval time="2/7/18 3:35:10.531 AM"|eval Time=strptime(time,"%m/%d/%y %I:%M:%S.%3N %p")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can I perform math functions like add/subtract to the time field after using
|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") ?
example new_time = time +39s ??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you have to perform math before strftime function
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so you have to convert min into sec. and then add. here 30m=30*60sec
new_time=_time+1800|eval new_time=strftime(new_time,"%Y-%m-%d %H:%M:%S")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's just how _time automatically get's presented, under the hood, it is still a UNIX timestamp value. So you can simply do:
| eval mytime=_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If it is internally represented at epoch time, then can math functions be applied to _time field directly ? i.e. new_time = _time + 30m ('new_time' is the time after 30 minutes) ..something like this ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so you have to convert min into sec. and then add. here 30m=30*60sec
new_time=_time+1800|eval new_time=strftime(new_time,"%Y-%m-%d %H:%M:%S")
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
