Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Conversion to UNIX time

zacksoft
Contributor
‎02-07-2018 12:36 AM

I want to convert my default _time field to UNIX/Epoch time and have it in a different field. This is how the Time field looks now.

2/7/18

3:35:10.531 AM

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎02-07-2018 12:54 AM

_time is already in epoch format...
so try:

...|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")

but if time is in different field then try this run anywhere search:

| makeresults |eval time="2/7/18 3:35:10.531 AM"|eval Time=strptime(time,"%m/%d/%y %I:%M:%S.%3N %p")

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎02-07-2018 01:51 AM

hey @zacksoft

You can use strftime(X,Y) to convert in a specified time format in Y and strptime(X,Y) to convert the same in epoch time.
have a look at this doc
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/DateandTimeFunctions#strftime.28X....

For time format, you can have a look at this doc
https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Commontimeformatvariables

Try this run anywhere search for more:

| gentimes start=-1 end=20 
| eval Endtime=strftime(endtime,"%d/%m/%Y %H:%M:%S"),Starttime=strftime(starttime,"%d/%m/%Y %H:%M:%S"),Starthuman=strptime(starthuman,"%a %b %d %H:%M:%S %Y"),Endhuman=strptime(endhuman,"%a %b %d %H:%M:%S %Y") 
| table starttime Starttime endtime Endtime starthuman Starthuman endhuman Endhuman

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎02-07-2018 12:54 AM

_time is already in epoch format...
so try:

...|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S")

but if time is in different field then try this run anywhere search:

| makeresults |eval time="2/7/18 3:35:10.531 AM"|eval Time=strptime(time,"%m/%d/%y %I:%M:%S.%3N %p")
0 Karma
Reply
Solved! Jump to solution

zacksoft
Contributor
‎02-07-2018 12:58 AM

Can I perform math functions like add/subtract to the time field after using
|eval time=strftime(_time,"%Y-%m-%d %H:%M:%S") ?

example new_time = time +39s ??

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-07-2018 01:02 AM

you have to perform math before strftime function

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-07-2018 12:59 AM

so you have to convert min into sec. and then add. here 30m=30*60sec

new_time=_time+1800|eval new_time=strftime(new_time,"%Y-%m-%d %H:%M:%S")
0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎02-07-2018 12:46 AM

That's just how _time automatically get's presented, under the hood, it is still a UNIX timestamp value. So you can simply do:
| eval mytime=_time

Reply
Solved! Jump to solution

zacksoft
Contributor
‎02-07-2018 12:51 AM

If it is internally represented at epoch time, then can math functions be applied to _time field directly ? i.e. new_time = _time + 30m ('new_time' is the time after 30 minutes) ..something like this ?

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎02-07-2018 12:59 AM

so you have to convert min into sec. and then add. here 30m=30*60sec

new_time=_time+1800|eval new_time=strftime(new_time,"%Y-%m-%d %H:%M:%S")
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...