Effective Usage of “STRPTIME” and “STRFTIME” 

Below is the effective usage of the “strptime” and “strftime
function which are used with eval command in SPLUNK :
 
1. strptime() :
                It is an eval function which is used to 
                parse a timestamps value
 
 
2. strftime() :
                It is an eval function which is used to 
                format a timestamps value
 
 
 
Let’s say you have a timestamps field whose value is like :
 
1. 13/May/2015:15:32:11.410 +0000
213/Jul/2014:15:31:48.387 +0000   and so on …
 
 and we want the output like :
 
1. 20150513
2. 20140713
 
Below examples will show the real usage of “strptime” and “strftime
 
you have to make a two stage operations, first convert your input format to “epochand then convert it to your desired format.
 
 
1.  index=_internal sourcetype=splunkd_access
  | rex field=_raw “.*\[(?P.*)\].*” 
  | table NEW_FIELD 
  | eval FIELD=strptime
     (NEW_FIELD,”%d/%b/%Y:%H:%M:%S”)
 
 
                                NEW_FIELD FIELD
  13/May/2015:15:49:41.308 +0000 1431532181.000000
  13/May/2015:15:49:36.308 +0000 1431532176.000000
  13/May/2015:15:49:32.553 +0000 1431532172.000000
  13/May/2015:15:49:32.544 +0000 1431532172.000000
  13/May/2015:15:49:32.537 +0000 1431532172.000000
  13/May/2015:15:49:32.528 +0000 1431532172.000000
  13/May/2015:15:49:32.518 +0000 1431532172.000000
 
Explanation : 
 
        NEW_FIELD” is an existing field which has a
         value as shown above. strptime” function
         converts the value of NEW_FIELD” to “epoch
         and stores in a newly created variable called
         “FIELD


Note : If you time is “2015-03-27T15:49:34Z” then
       strptime would be “%Y-%m-%dT%H:%M:%SZ
 
Now, in order to get the Desired Output in a right
format use “strftime” function on the “epoch” value,
i.e., “FIELD
 


index=_internal sourcetype=splunkd_access 
| rex field=_raw “.*\[(?P.*)\].*” 
| table NEW_FIELD 
| eval FIELD=strptime
    (NEW_FIELD,”%d/%b/%Y:%H:%M:%S”) 
| eval DesiredTime=strftime(FIELD,”%Y%m%d”) 
| fields – FIELD

 
           NEW_FIELD DesiredTime
      13/May/2015:15:59:36.247 +0000 20150513
      13/May/2015:15:59:31.540 +0000 20150513
      13/May/2015:15:59:31.247 +0000 20150513
      13/May/2015:15:59:29.355 +0000 20150513
      13/May/2015:15:59:28.896 +0000 20150513
 
Explanation : 

        DesiredTime” is the newly created field
         which is using “strftime” function to
         format the “epoch” time to its desired
         format.



If splunk has read your timestamps(without the year)
and parsed and indexed it correctly( You can always
compare the timestamps in the events with the
timestamps next to the blue down-arrow to the left
of the event ), then you can skip the first part
( strptime )and use the _time field, which is already
in epoch.


index=_internal
| eval DesiredTime=strftime(_time,”%Y%m%d”) 
| table _time , DesiredTime


_time DesiredTime
2015-05-14 10:35:16 20150514
2015-05-14 10:35:16 20150514
2015-05-14 10:35:16 20150514
2015-05-14 10:35:15 20150514
 
So, Finally you have got an idea how to do “Effective Usage of “STRPTIME” and  “STRFTIME

Happy Splunking !!

Advertisements