Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Convert timestamps in transforms.conf?

holtb
Explorer
‎08-20-2012 04:35 PM

I'm new to this wonderful app, so pardon my inexperience if this is easy...I have a very long search string, but I'd like to have these values created automatically on index. How could I convert this set of converts and calculations into a transform?

source="/sge/default/default/common/accounting" 
| eval "Wait Time"=start_time-submit_time 
| eval "Run Time"=end_time-start_time 
| eval "Submit Time"=strftime(submit_time,"%Y %b %d %H:%M:%S") 
| eval "Start Time"=strftime(start_time,"%Y %b %d %H:%M:%S") 
| eval "End Time"=strftime(end_time,"%Y %b %d %H:%M:%S") 
| table uid job_name project qname "Submit Time" wait_time "Start Time" "End Time" run_time failed

I tried doing it this way to no avail:

[accttimeconvert]
eval "Wait Time"=start_time-submit_time
eval "Run Time"=end_time-start_time
eval "Submit Time"=strftime(submit_time, "%Y/%m/%d %H:%M:%S")
eval "Start Time"=strftime(start_time, "%Y/%m/%d %H:%M:%S")
eval "End Time"=strftime(end_time, "%Y/%m/%d %H:%M:%S")
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎08-20-2012 05:24 PM

This feature does not exist as of Splunk 4.3. Today, your best option is a macro that implements your series of eval operations.

There are rumours that the next major release of Splunk will support a feature quite similar to this. But, of course, the exact feature content of the next release is always subject to change. I would recommend keeping an eye out.

I think one thing to point out is that you don't necessarily want this done at index time, but rather at search time. The search-time late binding of field names to values is one of Splunk's strengths.

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎08-20-2012 05:24 PM

This feature does not exist as of Splunk 4.3. Today, your best option is a macro that implements your series of eval operations.

There are rumours that the next major release of Splunk will support a feature quite similar to this. But, of course, the exact feature content of the next release is always subject to change. I would recommend keeping an eye out.

I think one thing to point out is that you don't necessarily want this done at index time, but rather at search time. The search-time late binding of field names to values is one of Splunk's strengths.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...