Effective Usage of "STRPTIME" and "STRFTIME"
Below is the effective usage of the "strptime" and "strftime"
function which are used with eval command in SPLUNK :
1. strptime() :
It is an eval function which is used to
parse a timestamps value
2. strftime() :
It is an eval function which is used to
format a timestamps value
Let's say you have a timestamps field whose value is like :
1. 13/May/2015:15:32:11.410 +0000
2. 13/Jul/2014:15:31:48.387 +0000 and so on ...
and we want the output like :
1. 20150513
2. 20140713
Below examples will show the real usage of "strptime" and "strftime"
you have to make a two stage operations, first convert your input format to "epoch" and then convert it to your desired format.
1. index=_internal sourcetype=splunkd_access
| rex field=_raw ".*\[(?P<NEW_FIELD>.*)\].*"
| table NEW_FIELD
| eval FIELD=strptime(NEW_FIELD,"%d/%b/%Y:%H:%M:%S")
| eval FIELD=strptime(NEW_FIELD,"%d/%b/%Y:%H:%M:%S")
| NEW_FIELD | FIELD |
|---|---|
| 13/May/2015:15:49:41.308 +0000 | 1431532181.000000 |
| 13/May/2015:15:49:36.308 +0000 | 1431532176.000000 |
| 13/May/2015:15:49:32.553 +0000 | 1431532172.000000 |
| 13/May/2015:15:49:32.544 +0000 | 1431532172.000000 |
| 13/May/2015:15:49:32.537 +0000 | 1431532172.000000 |
| 13/May/2015:15:49:32.528 +0000 | 1431532172.000000 |
| 13/May/2015:15:49:32.518 +0000 | 1431532172.000000 |
Explanation :
"NEW_FIELD" is an existing field which has a value
as shown above.
"strptime" function converts the value of
"NEW_FIELD" to "epoch" and stores in a newly
created variable called "FIELD"
Note : If you time is "2015-03-27T15:49:34Z" then
strptime would be "%Y-%m-%dT%H:%M:%SZ"
Now, in order to get the Desired Output in a right format
use "strftime" function on the "epoch" value , i.e., "FIELD"
index=_internal sourcetype=splunkd_access
| rex field=_raw ".*\[(?P<NEW_FIELD>.*)\].*"
| table NEW_FIELD
| eval FIELD=strptime(NEW_FIELD,"%d/%b/%Y:%H:%M:%S")
| eval DesiredTime=strftime(FIELD,"%Y%m%d")
| fields - FIELD
| NEW_FIELD | DesiredTime |
|---|---|
| 13/May/2015:15:59:36.247 +0000 | 20150513 |
| 13/May/2015:15:59:31.540 +0000 | 20150513 |
| 13/May/2015:15:59:31.247 +0000 | 20150513 |
| 13/May/2015:15:59:29.355 +0000 | 20150513 |
| 13/May/2015:15:59:28.896 +0000 | 20150513 |
Explanation :
"DesiredTime" is the newly created field which is
using "strftime" function to format the "epoch"
time to its desired format.
If splunk has read your timestamps(without the year) and parsed
and indexed it correctly( You can always compare the timestamps in the events with the timestamps next to the blue down-arrow to the left of the event ), then you can skip the first part ( strptime )
and use the _time field, which is already in epoch.
index=_internal
| eval DesiredTime=strftime(_time,"%Y%m%d")
| table _time , DesiredTime
| _time | DesiredTime |
|---|---|
| 2015-05-14 10:35:16 | 20150514 |
| 2015-05-14 10:35:16 | 20150514 |
| 2015-05-14 10:35:16 | 20150514 |
| 2015-05-14 10:35:15 | 20150514 |
So, Finally you have got an idea how to do "Effective Usage of "STRPTIME" and "STRFTIME"
Happy Splunking !!
3 comments:
Good Article!! Thanks Bro and keep posting more and more article
Do you give online training ?
Yes , I also give online training !! You can contact me at +91-8007377665
Post a Comment