Splunk Search

Combine 2 TimeDate fields of different types into one

Riosrr
New Member

I have 3 different time date fields in my logs with 2 being redundant and the other being a different measure.
Time_A= %m-%d-%y 00:00:00 (yes, there is no hour, minute, second recorded)
Time_B= %m-%d-%y 00:00:00 (again, yes)
Time_C= Minutes after midnight

Is there a simple way to convert Time_C to anything similar to %T (understanding that seconds will be truncated) and then have a join of Time_A and Time_C?

"TimeDate = Time_A + Time_C" in a format Splunk could read as a usable format is the prefered outcome.

Tags (2)
0 Karma

Riosrr
New Member

First off, thank you all for taking the time to help out! I realize now that I could have been much more clear and informative with my question. I will attach a copy of a slightly edited version of my logs after going through the indexer:

2018-04-04 00:00:00.000, LoginHistory="11968096", Logon=" ", Action="1", Date="2018-04-04 00:00:00.0", Time="538", Terminal=" ", AudSID="508081017", User="18187", StationId="7797", Application="0", IsPINAttempt="0", AuditUser="18187", AuditStationId="7797"

Action = 1

Date = 2018-04-04 00:00:00.0

LoginHistory = 11968096

Logon =

Terminal =

Time = 538

host =

I am, likely obviously, new to Splunk. My overall objective is to have Splunk recognize event times as its own date time. I believe this variable is _time. It seems as though the suggested solution is to get my 'Time' field converted to seconds.

|makeresults count=3|eval duration='Time'*60|eval dateadded_epoch = strftime('Date',"%Y-%m-%d %H:%M:%S")|eval date_epoch = strptime('dateadded_epoch',"%Y-%m-%d %H:%M:%S") |eval date=date_epoch+duration | eval '_time' = strftime('date', "%Y-%m-%d %H:%M:%S")

This is what i think it should look like based on the suggestions but i have no idea how to apply that to the current index or if i am even using the right syntax.

0 Karma

cmerriman
Super Champion

try adding something like this:

|eval new_time=substr(Time_A,1,10)." ".tostring(Time_C*60,"duration")

it should grab the first 10 characters of your date in Time_A and calculate the duration for Time_C by converting the minutes to seconds and putting it into a duration format.

0 Karma

splunker12er
Motivator

try somethign like this, if you want to see results in search time,

makeresults |eval time_A="04-31-2018 00:00:00"|eval time_C="12:01:50"|rex mode=sed field=time_A "s/00:00:00//g"|eval time_A=toString(time_1).toString(time_C)|table time_A
0 Karma

deepashri_123
Motivator

Hey@Riossr,

You can try this run anywhere command:
| makeresults count=3 |eval duration=60| eval dateadded_epoch = strftime('_time',"%Y-%m-%d %H:%M:%S")|eval date_epoch = strptime('dateadded_epoch',"%Y-%m-%d %H:%M:%S") |eval date=date_epoch+duration | eval date1 = strftime('date', "%Y-%m-%d %H:%M:%S")

You need to convert your Time_A to epoch and then add Time_C and then again convert to date.
That will help you use it in readable format

Let me know if this helps!!

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...