Solved: What is strptime format for 2017-08-01T11:48:15.00...

balamurali_dece · ‎08-09-2017

I want to load a json into splunk. The time stamp of each event is in the format 2017-08-01T11:48:15.000+0000. I used %Y-%m-%dT%H:%M:%S.%3N+%z and similar combinations so that splunk recognises the time stamp but with no success. What is correct strptime format so that splunk understands this.

richgalloway · ‎08-09-2017

The %z format variable includes the '+' so you don't have to specify it separately. Try %Y-%m-%dT%H:%M:%S.%3N%z.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎08-09-2017

The %z format variable includes the '+' so you don't have to specify it separately. Try %Y-%m-%dT%H:%M:%S.%3N%z.

---
If this reply helps you, Karma would be appreciated.

adonio · ‎08-09-2017

looks like it works fine:
try it:

  | makeresults count=1 
 | eval t = "2017-08-01T11:48:15.000+0100, 2017-08-01T12:48:15.000+0200, 2017-08-01T13:48:15.000+0300"
 | makemv delim="," t
 | mvexpand t
 | eval time = strptime(t, "%Y-%m-%dT%H:%M:%S.%3N%z")

What is strptime format for 2017-08-01T11:48:15.000+0000

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...