The new myTime
field is blank for some reason -- anyone know why? Consider the below code I'm using:
|makeresults
|eval originalTime = "01/05/19"
|eval myTime = strptime(originalTime, "%m/%d/%Y")
|table originalTime myTime
Oddly enough, it DOES work if I use |eval originalTime = "11:55"
with eval myTime = strptime(originalTime, "%H:%M")
. Why won't my original query work? Because of this, I'm unable to convert time to UNIX time in my CSVs.
Your string format time is wrong. Try this
|makeresults
|eval originalTime = "01/05/19"
|eval myTime = strptime(originalTime, "%m/%d/%y")
|table originalTime myTime
Your upper case %Y is for year with century (i.e. 2019) . You specified without century (i.e. 19) which is %y
It should be lowercase y in the format...
| makeresults
| eval originalTime = "01/05/19"
| eval myTime=strptime(originalTime,"%m/%d/%y")
| table originalTime myTime
With the strptime function, you must specify the time format of the string X so that the function can convert the string time into the correct UNIX time.
http://docs.splunk.com/Documentation/Splunk/7.2.1/SearchReference/DateandTimeFunctions#strptime.28X....
Your string format time is wrong. Try this
|makeresults
|eval originalTime = "01/05/19"
|eval myTime = strptime(originalTime, "%m/%d/%y")
|table originalTime myTime
Your upper case %Y is for year with century (i.e. 2019) . You specified without century (i.e. 19) which is %y
Ahh you're right, I missed that! Thanks!