Solved: Re: Will you help me with this string to date conv...

jiaqya · ‎09-18-2018

I'm struggling to convert this to a Splunk readable format.

Sep 18, 2018 17:25:24.870411000

Can you me figure out how to make Splunk understand this as a date format?

msivill_splunk · ‎09-18-2018

Try....

| makeresults 
| eval date_string = "Sep 18, 2018 17:25:24.870411000" 
| eval date = strptime(date_string, "%b %d, %Y %H:%M:%S.%f")

This will capture to microsecond. The example date provided goes down to nanosecond level but only seems to use to the microsecond. Will this work for you?

View solution in original post

DalJeanis · ‎09-18-2018

https://docs.splunk.com/Documentation/Splunk/7.1.3/SearchReference/Commontimeformatvariables

You have 3-digit month, then day, comma four digit year.

%b %d, %Y

followed by 24-hour format hour, colon, minute, colon, second

%H:%M:%S

dot, nine digit subsecond interval

.%9Q

Put it all together and you get

%b %d, %Y %H:%M:%S.%9Q

Test it with

| makeresults  
| eval fromtime="Sep 18, 2018 17:25:24.870411000"
| eval _time = strptime(fromtime,"%b %d, %Y %H:%M:%S.%9Q")

And the epoch format result displays as...

2018-09-18 17:25:24.870

jiaqya · ‎09-26-2018

yes, this works for me too just like above . thank you

John.

msivill_splunk · ‎09-18-2018

Try....

| makeresults 
| eval date_string = "Sep 18, 2018 17:25:24.870411000" 
| eval date = strptime(date_string, "%b %d, %Y %H:%M:%S.%f")

This will capture to microsecond. The example date provided goes down to nanosecond level but only seems to use to the microsecond. Will this work for you?

jiaqya · ‎09-26-2018

Thanks, this works perfectly fine for me..

john.

Will you help me with this string to date conversion?

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!