Splunk Search

Convert Timestamp from one format to UNIX style format

dowdag
Engager

I have a log file that has the timestamp for each line as:

Jun 10, 11:07:59.305475

Note that the year is missing - it is inferred from file name... or something...
I am good with deriving year from now()

I would like to convert it to:

2019-6-10 11:07:59.305475

Might there be a way to accomplish this when creating a field extraction?

I have had no luck with startime

Thanks for any clues!

0 Karma

harshpatel
Contributor

Hi @dowdag,

You are defining wrong format for DateTimeStr when converting it into epoch time. Please try this:

| eval uxTimeStamp=strftime(strptime(DateTimeStr, "%Y-%m-%d %H:%M:%S.%6N"), "%Y-%m-%d %H:%M:%S:%3N")

See how your DateTimeStr value is 2019-06-06 11:10:04.307625 and as per your format in strptime i.e. %Y-%m-%d %H:%M:%S:%3N means you are expecting DateTimeStr to be 2019-06-06 11:10:04:307 which will result in uxTimeStamp being NULL value.

Cheers,
Harsh

0 Karma

dowdag
Engager

Extracted "date time string" data from log: Jun 06, 11:10:04.307625

I added a lookup table

MonthAbrv, MonthNumber
Jan,01 
Feb,02
Mar,03
etc....

| rex field=TimeStamp "(?<Month>\w+)"
| lookup MonthStrToNum MonthAbrv as Month OUTPUT MonthNumber
| rex field=TimeStamp "\w+\s(?<day>\d+)"
| eval year=strftime(now(), "%Y") 
| rex field=TimeStamp "^.+,\s(?<Time>[\d:.]+)"
| eval DateTimeStr= (year . "-". MonthNumber . "-" . day ." " . Time)

DateTimeStr: 2019-06-06 11:10:04.307625

| eval uxTimeStamp=strftime(strptime(DateTimeStr, "%Y-%m-%d %H:%M:%S:%3N"), "%Y-%m-%d %H:%M:%S:%3N")

However uxTimeStamp is NULL -- what might I have missed?

Thanks for any help

0 Karma

harshpatel
Contributor
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi dowdag,
You have to convert two times your timestamp, try something like this:

| eval time_field=strftime(strptime(_time,"%B %d, %H:%M:%S.%6N"),"%Y-%m-%d %H:%M:%S.%6N")

Bye.
Giuseppe

0 Karma

harshpatel
Contributor

Hi @dowdag, Are you trying to achieve this using props.conf or you want to do this using a Splunk search?
What I can tell is you are already extracting timestamp using props.conf and you want to add a year to it?

0 Karma

alonsocaio
Contributor

You can try using this command to format _time:

| eval time_field=strftime(_time,"%Y-%m-%d %H:%M:%S.%6N")
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...