Solved: Difficult date time conversion

timbitsandbytes · ‎01-18-2013

Well it's a difficult conversion for me, anyway.

Here's the field: dateTime=Fri Jan 18 17:11:55 GMT+00:00 2013

I want to convert it to seconds since the epoch so I can do a date comparison.
I don't think there's a way for Splunk to recognize the tz offset as "+00:00" so first I transform that to "+0000".

eval dtFormatted=replace(dateTime, ":", "") |
eval dtSeconds=strptime(dtFormatted, "%a %b %d %H%M%S %Z%:z %Y")

In my search results "dtFormatted" is discovered and I've verified it's properly formatted but "dtSeconds" is not discovered.

What am I doing wrong? Why can't I convert this string to seconds?

jonuwz · ‎01-19-2013

Try this :

... | rex mode=sed field=dateTime "s/(\+[0-9:]{5})/ \1/" 
    | eval dtSeconds=strptime(dateTime, "%a %b %d %T %Z %:z %Y")

The problem was that %Z expects a space after the time zone, In your format %Z was being set to GMT+0000 instead of GMT, and %Y was null.

View solution in original post

jonuwz · ‎01-19-2013

Try this :

... | rex mode=sed field=dateTime "s/(\+[0-9:]{5})/ \1/" 
    | eval dtSeconds=strptime(dateTime, "%a %b %d %T %Z %:z %Y")

The problem was that %Z expects a space after the time zone, In your format %Z was being set to GMT+0000 instead of GMT, and %Y was null.

timbitsandbytes · ‎01-21-2013

I see - I would not have caught that. But your sed/regex works great. Thanks very much!

timbitsandbytes · ‎01-18-2013

Yes, thanks. Unfortunately when I copied the search string (on a network that doesn't have access to the Internet) I miscopied it. It's been corrected above.

jonuwz · ‎01-18-2013

Shouldn't you have dtFormatted as the 1st argument to strptime ?

Difficult date time conversion

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases