Splunk Search

Time function

vaibhavbeohar
Path Finder

Hi,
How to use strptime(X,Y) and strftime(X,Y) function in search, please explain with example.

Thanks,

vaibhavbeohar
Path Finder

Hi
I am running search with the following string

"sourcetype="TicketAnalysis" | chart count by CloseDateTime" and getting result in following format

"CloseDateTime" "count"

2013-02-19 11:40 AM 1

2013-02-20 12:11 PM 1

2013-02-22 16:26 PM 1

2013-02-23 01:02 AM 1

2013-02-26 12:13 PM 1

i would like to have CloseDateTime field in only day or month format. i tried to do through "convert timeformat="%d" ctime(_time) function and not getting any result. can you please help me out.

Thanks.

vaibhavbeohar
Path Finder

Hi
I am running search with the following string

"sourcetype="TicketAnalysis" | chart count by CloseDateTime" and getting result in following format

"CloseDateTime" "count"

2013-02-19 11:40 AM 1

2013-02-20 12:11 PM 1

2013-02-22 16:26 PM 1

2013-02-23 01:02 AM 1

2013-02-26 12:13 PM 1

i would like to have CloseDateTime field in only day or month format. i tried to do through "convert timeformat="%d" ctime(_time) function and not getting any result. can you please help me out.

Thanks.

kristian_kolb
Ultra Champion

Hi,

strptime(X,Y) will convert a string X, e.g. "2013-03-22 11:22:33", into epoch, with the string being described by Y

strftime(X,Y) will convert an epoch timestamp (X) into a string, defined by Y.

An example;

You want to calculate the difference between two timestamps in an event. This event looks like;

2013-03-22 11:22:33 transactionid=123 startdate=03/18/2013 enddate=03/23/2013

base search 
| eval start=strptime(startdate,"%m/%d/%Y") 
| eval end=strptime(enddate, "%m/%d/%Y") 
| eval dur = end - start 
| the rest of the search

Then you want to calculate how many transaction that started in March. Add the following lines;

| eval startmonth = stfrtime(start, "%m")

Now start and end is in epoch (an integer), dur is also an integer (the number of seconds between the two dates). startmonth will be '03' (for March) for the event above.

See the following resources for more info;

http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/Commontimeformatvariables
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/CommonEvalFunctions
http://www.strftime.net


UPDATE:

Well, since you have the CloseTimeDate as a string, you can do the calculations pretty much as described above all done in one eval;

sourcetype="TicketAnalysis" 
| eval cd=strftime(strptime(CloseDateTime,"%Y-%m-%d %H:%M:%S %p"),"%m-%d")
| chart count by cd

The inner function - strptime() - converts your string to epoch, and the outer - strftime() - converts/extracts the parts you want, and in what order from the epoch. In this case Month-Day will be stored in the new field 'cd'.

Of course, there is more than one way to do it, one of which is to use eval's substr() function to operate on the string CloseDateTime directly (if you are happy with how it looks, and just want to strip off a few parts).

sourcetype="TicketAnalysis" 
| eval cd=substr(CloseDateTime,5,5)
| chart count by cd

which will take the field (CloseDateTime) jump to offset 5 (i.e. skip the 2013- part) and read 5 characters, i.e. '02-19'.

OR if these dates actually are the same, or nearly the same, as the time of the event, you may be happy with using the built-in fields date_month, date_hour, date_mday, date_second etc. These are automatically calculated for most types of event, apart from Windows EventLogs.

Hope this helps,

Kristian

kristian_kolb
Ultra Champion

If it worked for you, please mark the question as 'answered'. Thanks.

0 Karma

vaibhavbeohar
Path Finder

Thanks Kristian..

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...