Convert time to epoch time & time zone

willadams · ‎02-12-2020

In my index, I have a field that has been extracted for a "last checkin time". The time shown is GMT and I need to use this field when using a dashboard to accurately show data. I am having a problem with my strptime in that it is not working.

An example is an extracted field ==> 2020-02-13 05:00:29.0
The time is GMT (and it needs to be GMT+8)

I have done the following:

index=someindex source="mysource"
| eval epoch_time=strptime("last_checkin_time", "%Y-%m-%d %H:%M:%S.%3N")

I have tried adjusting the value of eval to use the %Q options but that has not been able to generate anew field that I can use. I have also tried to use %Z at the end of the strptime to try and force timezone but to no avail

I would like to use this time instead of the ingest time (or _time) to drive my dashboard.

Thanks in advance

to4kawa · ‎02-13-2020

| eval epoch_time=strptime('last_checkin_time'." +0000", "%F %T.0 %z")

renjith_nair · ‎02-13-2020

@willadams ,

last_checkin_time in strptime shouldn't be in quotes(") which will treat it as a literal. Remove the quotes around it to treat it as variable.

i.e.

eval epoch_time=strptime(last_checkin_time, "%Y-%m-%d %H:%M:%S.%3N")

Happy Splunking!

Convert time to epoch time & time zone

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!