Effective Usage of “STRPTIME” and “STRFTIME”
Below is the effective usage of the “strptime” and “strftime“
function which are used with eval command in SPLUNK :
1. strptime() :
It is an eval function which is used to
parse a timestamps value
2. strftime() :
It is an eval function which is used to
format a timestamps value
Let’s say you have a timestamps field whose value is like :
1. 13/May/2015:15:32:11.410 +0000
2. 13/Jul/2014:15:31:48.387 +0000 and so on …
and we want the output like :
1. 20150513
2. 20140713
Below examples will show the real usage of “strptime” and “strftime“
you have to make a two stage operations, first convert your input format to “epoch” and then convert it to your desired format.
1. index=_internal sourcetype=splunkd_access
| rex field=_raw “.*\[(?P.*)\].*”
| table NEW_FIELD
| eval FIELD=strptime
| eval FIELD=strptime
(NEW_FIELD,”%d/%b/%Y:%H:%M:%S”)
| NEW_FIELD | FIELD |
|---|---|
| 13/May/2015:15:49:41.308 +0000 | 1431532181.000000 |
| 13/May/2015:15:49:36.308 +0000 | 1431532176.000000 |
| 13/May/2015:15:49:32.553 +0000 | 1431532172.000000 |
| 13/May/2015:15:49:32.544 +0000 | 1431532172.000000 |
| 13/May/2015:15:49:32.537 +0000 | 1431532172.000000 |
| 13/May/2015:15:49:32.528 +0000 | 1431532172.000000 |
| 13/May/2015:15:49:32.518 +0000 | 1431532172.000000 |
Explanation :
“NEW_FIELD” is an existing field which has a
value as shown above. “strptime” function
converts the value of “NEW_FIELD” to “epoch“
and stores in a newly created variable called
“FIELD“
Note : If you time is “2015-03-27T15:49:34Z” then
strptime would be “%Y-%m-%dT%H:%M:%SZ“
Now, in order to get the Desired Output in a right
format use “strftime” function on the “epoch” value,
i.e., “FIELD“
index=_internal sourcetype=splunkd_access
| rex field=_raw “.*\[(?P.*)\].*”
| table NEW_FIELD
| eval FIELD=strptime
(NEW_FIELD,”%d/%b/%Y:%H:%M:%S”)
| eval DesiredTime=strftime(FIELD,”%Y%m%d”)
| fields – FIELD
| eval DesiredTime=strftime(FIELD,”%Y%m%d”)
| fields – FIELD
| NEW_FIELD | DesiredTime |
|---|---|
| 13/May/2015:15:59:36.247 +0000 | 20150513 |
| 13/May/2015:15:59:31.540 +0000 | 20150513 |
| 13/May/2015:15:59:31.247 +0000 | 20150513 |
| 13/May/2015:15:59:29.355 +0000 | 20150513 |
| 13/May/2015:15:59:28.896 +0000 | 20150513 |
Explanation :
“DesiredTime” is the newly created field
which is using “strftime” function to
format the “epoch” time to its desired
format.
If splunk has read your timestamps(without the year)
and parsed and indexed it correctly( You can always
compare the timestamps in the events with the
“DesiredTime” is the newly created field
which is using “strftime” function to
format the “epoch” time to its desired
format.
If splunk has read your timestamps(without the year)
and parsed and indexed it correctly( You can always
compare the timestamps in the events with the
timestamps next to the blue down-arrow to the left
of the event ), then you can skip the first part
( strptime )and use the _time field, which is already
in epoch.
index=_internal
| eval DesiredTime=strftime(_time,”%Y%m%d”)
| table _time , DesiredTime
index=_internal
| eval DesiredTime=strftime(_time,”%Y%m%d”)
| table _time , DesiredTime
| _time | DesiredTime |
|---|---|
| 2015-05-14 10:35:16 | 20150514 |
| 2015-05-14 10:35:16 | 20150514 |
| 2015-05-14 10:35:16 | 20150514 |
| 2015-05-14 10:35:15 | 20150514 |
So, Finally you have got an idea how to do “Effective Usage of “STRPTIME” and “STRFTIME“
Happy Splunking !!
What’s your Reaction?
+1
+1
2
+1
8
+1
+1
+1
+1
Good Article!! Thanks Bro and keep posting more and more article
Thanks buddy !! Please subscribe to it to get more such information 🙂
Do you give online training ?
Yes , I also give online training !! You can contact me at +91-8007377665
[…] ctime – Convert an epoch time format to human readable time format. You can specify the time format by timeformat argument. This is an alternative option of strftime() function in eval functions. […]
[…] greater than logout time. Then by fields command we have taken user and login field. At last by the strftime function with eval command we have converted epoch time into human readable format. Now you can […]