Thursday, May 14

Effective Usage of "STRPTIME" and "STRFTIME"

Effective Usage of "STRPTIME" and "STRFTIME" 

Below is the effective usage of the "strptime" and "strftime
function which are used with eval command in SPLUNK :

1. strptime() :
                It is an eval function which is used to 
                parse a timestamps value

2. strftime() :
                It is an eval function which is used to 
                format a timestamps value

Let's say you have a timestamps field whose value is like :

1. 13/May/2015:15:32:11.410 +0000
213/Jul/2014:15:31:48.387 +0000   and so on ...

and we want the output like :

1. 20150513
2. 20140713

Below examples will show the real usage of "strptime" and "strftime"

you have to make a two stage operations, first convert your input format to "epoch" and then convert it to your desired format.

1.  index=_internal sourcetype=splunkd_access
    | rex field=_raw ".*\[(?P<NEW_FIELD>.*)\].*" 
    | table NEW_FIELD 
    | eval FIELD=strptime(NEW_FIELD,"%d/%b/%Y:%H:%M:%S")

  13/May/2015:15:49:41.308 +00001431532181.000000
  13/May/2015:15:49:36.308 +00001431532176.000000
  13/May/2015:15:49:32.553 +00001431532172.000000
  13/May/2015:15:49:32.544 +00001431532172.000000
  13/May/2015:15:49:32.537 +00001431532172.000000
  13/May/2015:15:49:32.528 +00001431532172.000000
  13/May/2015:15:49:32.518 +00001431532172.000000

Explanation : 

             "NEW_FIELD" is an existing field which has a value
              as shown above.
              "strptime" function converts the value of
              "NEW_FIELD" to "epoch" and stores in a newly 
              created variable called "FIELD"

Note : If you time is "2015-03-27T15:49:34Z" then
       strptime would be "%Y-%m-%dT%H:%M:%SZ"

Now, in order to get the Desired Output in a right format
use "strftime" function on the "epoch" value , i.e., "FIELD"

index=_internal sourcetype=splunkd_access 
| rex field=_raw ".*\[(?P<NEW_FIELD>.*)\].*" 
| table NEW_FIELD 
| eval FIELD=strptime(NEW_FIELD,"%d/%b/%Y:%H:%M:%S") 
| eval DesiredTime=strftime(FIELD,"%Y%m%d") 
| fields - FIELD

      13/May/2015:15:59:36.247 +000020150513
      13/May/2015:15:59:31.540 +000020150513
      13/May/2015:15:59:31.247 +000020150513
      13/May/2015:15:59:29.355 +000020150513
      13/May/2015:15:59:28.896 +000020150513

Explanation : 

              "DesiredTime" is the newly created field which is 
               using "strftime" function to format the "epoch"
               time to its desired format.

If splunk has read your timestamps(without the year) and parsed
and indexed it correctly( You can always compare the timestamps in the events with the timestamps next to the blue down-arrow to the left of the event ), then you can skip the first part ( strptime )
and use the _time field, which is already in epoch.

| eval DesiredTime=strftime(_time,"%Y%m%d") 
| table _time , DesiredTime

2015-05-14 10:35:1620150514
2015-05-14 10:35:1620150514
2015-05-14 10:35:1620150514
2015-05-14 10:35:1520150514

So, Finally you have got an idea how to do "Effective Usage of "STRPTIME" and  "STRFTIME"

Happy Splunking !!


Balasaheb Lalge said...

Good Article!! Thanks Bro and keep posting more and more article

Anonymous said...

Do you give online training ?

abhay said...

Yes , I also give online training !! You can contact me at +91-8007377665