Solved: Strptime bug?

ARothman · ‎11-07-2012

Has anyone else noticed that strptime does not work in the following situation?

VersionExpiry has a value of 9999-01-01 00:00:00 (or with any year greater than 2999)

eval VersionExpiryEpoch=strptime(VersionExpiry, "%Y-%m-%d %H:%M:%S")

Field "VersionExpiryEpoch" is never created

Does anyone have any workaround ideas to force Splunk in recognizing that existence may, in fact, continue past the year 2999? 😉

The raw data Splunk is receiving is indicating that the version, as of this moment, does not have an expiration date... hence the year 9999. I could, easily, hardcode it in the query that a value of 9999-01-01 00:00:00 means that the version is up to date, but I'd prefer that the function worked correctly.

dart · ‎11-08-2012

If you just need it to work on that specific far future date, then you could do something like this:

search goes here | eval VersionExpiryEpoch = coalesce(strptime(VersionExpiry, "%Y-%m-%d %H:%M:%S"), 253370786400)

View solution in original post

dart · ‎11-08-2012

If you just need it to work on that specific far future date, then you could do something like this:

search goes here | eval VersionExpiryEpoch = coalesce(strptime(VersionExpiry, "%Y-%m-%d %H:%M:%S"), 253370786400)

ARothman · ‎11-08-2012

Seems to have done the trick - thanks.

Strptime bug?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases