Effective Usage of "STRPTIME" and "STRFTIME"

Effective Usage of “STRPTIME” and “STRFTIME” 

Below is the effective usage of the “strptime” and “strftime
function which are used with eval command in SPLUNK :
1. strptime() :
                It is an eval function which is used to 
                parse a timestamps value
2. strftime() :
                It is an eval function which is used to 
                format a timestamps value
Let’s say you have a timestamps field whose value is like :
1. 13/May/2015:15:32:11.410 +0000
213/Jul/2014:15:31:48.387 +0000   and so on …
 and we want the output like :
1. 20150513
2. 20140713
Below examples will show the real usage of “strptime” and “strftime
you have to make a two stage operations, first convert your input format to “epochand then convert it to your desired format.
1.  index=_internal sourcetype=splunkd_access
  | rex field=_raw “.*\[(?P.*)\].*” 
  | table NEW_FIELD 
  | eval FIELD=strptime
                                NEW_FIELD FIELD
  13/May/2015:15:49:41.308 +0000 1431532181.000000
  13/May/2015:15:49:36.308 +0000 1431532176.000000
  13/May/2015:15:49:32.553 +0000 1431532172.000000
  13/May/2015:15:49:32.544 +0000 1431532172.000000
  13/May/2015:15:49:32.537 +0000 1431532172.000000
  13/May/2015:15:49:32.528 +0000 1431532172.000000
  13/May/2015:15:49:32.518 +0000 1431532172.000000
Explanation : 
        NEW_FIELD” is an existing field which has a
         value as shown above. strptime” function
         converts the value of NEW_FIELD” to “epoch
         and stores in a newly created variable called

Note : If you time is “2015-03-27T15:49:34Z” then
       strptime would be “%Y-%m-%dT%H:%M:%SZ
Now, in order to get the Desired Output in a right
format use “strftime” function on the “epoch” value,
i.e., “FIELD

index=_internal sourcetype=splunkd_access 
| rex field=_raw “.*\[(?P.*)\].*” 
| table NEW_FIELD 
| eval FIELD=strptime
| eval DesiredTime=strftime(FIELD,”%Y%m%d”) 
| fields – FIELD

           NEW_FIELD DesiredTime
      13/May/2015:15:59:36.247 +0000 20150513
      13/May/2015:15:59:31.540 +0000 20150513
      13/May/2015:15:59:31.247 +0000 20150513
      13/May/2015:15:59:29.355 +0000 20150513
      13/May/2015:15:59:28.896 +0000 20150513
Explanation : 

        DesiredTime” is the newly created field
         which is using “strftime” function to
         format the “epoch” time to its desired

If splunk has read your timestamps(without the year)
and parsed and indexed it correctly( You can always
compare the timestamps in the events with the
timestamps next to the blue down-arrow to the left
of the event ), then you can skip the first part
( strptime )and use the _time field, which is already
in epoch.

| eval DesiredTime=strftime(_time,”%Y%m%d”) 
| table _time , DesiredTime

_time DesiredTime
2015-05-14 10:35:16 20150514
2015-05-14 10:35:16 20150514
2015-05-14 10:35:16 20150514
2015-05-14 10:35:15 20150514
So, Finally you have got an idea how to do “Effective Usage of “STRPTIME” and  “STRFTIME

Happy Splunking !!

You can also know about :  How to find  the Index name for every Alert  created in Splunk


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.