![]() ![]() In Splunk Web, the time field appears in a human readable format in the UI but is stored in UNIX time. If Splunk has read your timestamp (without the year) and parsed and indexed it correctly (you can compare the the timestamps in the events with the timestamp next to the blue down-arrow-thingy to the left of the event), then you can skip the first part and use the _time field, which is already in epoch. The strptime function takes any date from Januor later, and calculates the UNIX time, in seconds, from Januto the date you provide. If Splunk has read your timestamp (without the year) and parsed and indexed it correctly (you can compare the the timestamps in the events with the timestamp next to the blue down-arrow-thingy to the left of the event), then you can skip the first part and use the _time field, which is already in epoch.| eval desired_time=strftime(_time, "%d/%m/%Y %I:%M:%S %p")Īh, ziegfried has an important point. It may be that you'll have to make changes to the logging application so that the full date is being logged.įor information regarding strftime and strptime, see Īh, ziegfried has an important point. Ive tried some of the answers but none of them have worked so far. However, since the data coming in has no year specification, I'm not sure that you would get usable results. I want to convert my default time field to UNIX/Epoch time and have it in a different field. I have an existing column 'Date' and I need to convert it from a string like to a date of. ![]() ![]() | eval epochtime=strptime(your_current_time_field, "%b %d %H:%M:%S")| eval desired_time=strftime(epochtime, "%d/%m/%Y %I:%M:%S %p") Anyway, it's not uncommon for a whole splunk deployment to have everything including search heads, living in the UTC timezone. Sometimes you'll also come across the idea that 'epochtime is in UTC' which is nonsensical cause an epochtime is just a number of seconds. I believe that you'll have to make a two stage operation, first convert your input format to epoch, and the convert it to your desired format. Unfortunately we don't ship our 'DateTimeTest' utility that allows easy testing of strptime/strftime functionality, please file an ER for that to be included from the CLI/UI. UTC is a timezone, basically GMT with no daylight saving time ever. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |