Re: Can you help me with an issue i'm having with ...

Divyachundu · ‎10-23-2018

I am trying to implement strptime command on my lookup named test.csv, which has fields _time, hits with data from Aug-12 to Oct-21.

I created a scheduled job to update my lookup dynamically everyday at 3:00 AM with yesterday's data. So, on Oct-23rd, my lookup got updated with Oct-22 data.

The issue is, while running the below command, I am getting blank values for _time field, where as hits field is coming fine.

|inputlookup test.csv|eval _time=strptime(_time, "%Y-%m-%dT%H:%M:%S")

Divyachundu · ‎10-25-2018

Thank you all your replied. I figured out what is causing the issue.

The time format in the initial lookup is "%Y-%m-%dT%H:%M:%S". When my job is appending the lookup, the time stamp is being saved in epoch which is causing issue when I am using strptime command.

kamal_jagga · ‎10-23-2018

Try naming the new field differently from _time to Date.

|inputlookup test.csv
|eval Date=strptime(_time, "%Y-%m-%dT%H:%M:%S").

Divyachundu · ‎10-25-2018

I did try this before . Didn't help. Thanks for sharing your thoughts.

cmerriman · ‎10-23-2018

can you provide sample data of your csv file before you do any evals to it. scrubbed of any pii/phi info, of course.

Can you help me with an issue i'm having with the strptime function?

Introducing the Splunk Community Dashboard Challenge!

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability