Effective Usage of "STRPTIME" and "STRFTIME"

Effective Usage of "STRPTIME" and "STRFTIME" 

Below is the effective usage of the "strptime" and "strftime" 

function which are used with eval command in SPLUNK :

1. strptime() :

                It is an eval function which is used to 

                parse a timestamps value

2. strftime() :

                It is an eval function which is used to 

                format a timestamps value

Let's say you have a timestamps field whose value is like :

1. 13/May/2015:15:32:11.410 +0000

2. 13/Jul/2014:15:31:48.387 +0000   and so on ...

and we want the output like :

1. 20150513

2. 20140713

Below examples will show the real usage of "strptime" and "strftime"

you have to make a two stage operations, first convert your input format to "epoch" and then convert it to your desired format.

1.  index=_internal sourcetype=splunkd_access

    | rex field=_raw ".*\[(?P<NEW_FIELD>.*)\].*" 

    | table NEW_FIELD 
    | eval FIELD=strptime(NEW_FIELD,"%d/%b/%Y:%H:%M:%S")

NEW_FIELD	FIELD
13/May/2015:15:49:41.308 +0000	1431532181.000000
13/May/2015:15:49:36.308 +0000	1431532176.000000
13/May/2015:15:49:32.553 +0000	1431532172.000000
13/May/2015:15:49:32.544 +0000	1431532172.000000
13/May/2015:15:49:32.537 +0000	1431532172.000000
13/May/2015:15:49:32.528 +0000	1431532172.000000
13/May/2015:15:49:32.518 +0000	1431532172.000000

Explanation : 

             "NEW_FIELD" is an existing field which has a value

              as shown above.

              "strptime" function converts the value of

              "NEW_FIELD" to "epoch" and stores in a newly 

              created variable called "FIELD"

Note : If you time is "2015-03-27T15:49:34Z" then
       strptime would be "%Y-%m-%dT%H:%M:%SZ"

Now, in order to get the Desired Output in a right format

use "strftime" function on the "epoch" value , i.e., "FIELD"

index=_internal sourcetype=splunkd_access 
| rex field=_raw ".*\[(?P<NEW_FIELD>.*)\].*" 
| table NEW_FIELD 
| eval FIELD=strptime(NEW_FIELD,"%d/%b/%Y:%H:%M:%S") 
| eval DesiredTime=strftime(FIELD,"%Y%m%d") 
| fields - FIELD

NEW_FIELD	DesiredTime
13/May/2015:15:59:36.247 +0000	20150513
13/May/2015:15:59:31.540 +0000	20150513
13/May/2015:15:59:31.247 +0000	20150513
13/May/2015:15:59:29.355 +0000	20150513
13/May/2015:15:59:28.896 +0000	20150513

Explanation : 

              "DesiredTime" is the newly created field which is 
               using "strftime" function to format the "epoch"
               time to its desired format.



If splunk has read your timestamps(without the year) and parsed
and indexed it correctly( You can always compare the timestamps in the events with the timestamps next to the blue down-arrow to the left of the event ), then you can skip the first part ( strptime )
and use the _time field, which is already in epoch.


index=_internal
| eval DesiredTime=strftime(_time,"%Y%m%d") 
| table _time , DesiredTime

_time	DesiredTime
2015-05-14 10:35:16	20150514
2015-05-14 10:35:16	20150514
2015-05-14 10:35:16	20150514
2015-05-14 10:35:15	20150514

So, Finally you have got an idea how to do "Effective Usage of "STRPTIME" and  "STRFTIME"

Happy Splunking !!

3

Counting of a Particular Character in a Field

Counting of a Particular Character in a Field

     There are many ways to achieve the above scenario :

   1. Using "mvcount and split"  

      index="_internal" 

      | head 4 

      | eval Var="www.google.com" 

      | eval Result=(mvcount(split(Var,"."))-1) | table Var,Result

Var	Result
www.google.com	2
www.google.com	2
www.google.com	2
www.google.com	2

Explanation :

             In the above Example,We are trying to count the

             number of "." ( dots ) in the field "Var".

             With the help of "split" function we have split

             the words by "." split(Var,"."), so there 

             are three words coming "www","google" and "com"   

             and then we are taking the count of these words.

             mvcount(split(Var,".")). So,there are three words.

             But in order to achieve the output we have to 

             subtract "1" from the whole output.

             (mvcount(split(Var,"."))-1) whose result is stored

             in a newly created field called "Result"

Hope this has helped you in achieving the below requirement without fail :

Counting of a Particular Character in a Field

Happy Splunking !!

0

How to add Serial Number in each line of your event

       How to add Serial Number in each line of your event

     There are many ways to achieve the above scenario :

1. Using "steamstats"   

      index="_internal" sourcetype=splunkd 

    | table log_level, splunk_server 

    | head 4

    | streamstats count | table count,log_level,splunk_server

count	log_level	splunk_server
1	INFO	XXXX
2	INFO	XXXX
3	INFO	XXXX
4	INFO	XXXX

2. Using "accum"   

      index="_internal" sourcetype=splunkd 

    | table log_level, splunk_server 

    | head 4

    | eval Number=1 

    | accum Number

    | table Number,log_level,splunk_server

Number	log_level	splunk_server
1	INFO	XXXX
2	INFO	XXXX
3	INFO	XXXX
4	INFO	XXXX

Hope this has helped you in achieving the below requirement without fail :

How to add Serial Number in each line of your event

Happy Splunking !!

1