Splunk: Extract string and convert it to date format

date splunk

Solution 1:

There's nothing special about those timestamps - they're in standard form. Use the strptime function to convert them.

index = something 
|rex field=_raw "id>(?<Id>[^\<]+)" 
|rex "timeStamp>(?<timeStamp>[^\<]+)"
| eval ts = strptime(timeStamp, "%Y-%m-%dT%H:%M:%S.%3N%Z")
| eval diff = ts - _time
| table _time Id timeStamp diff

Solution 2:

Check out strftime.org, and the related strptime function used with eval

Something on the order of this (pulled the microseconds out of your rex, since Unix epoch time has no concept of subsecond intervals):

| rex field=_raw "timeStamp\>(?<timeStamp>[^\.]+)\.\d+Z"
| eval unixepoch=strptime(timeStamp,"%Y-%m-%dT%H:%M:%S")

Related

when i use itk to read '.nii.gz' file ,reader->update give me a microsoft c++ error
" npx cap add ios" fails with error "Updating iOS native dependencies with pod install - failed!"
Can I set_markup to a PopupMenuItem?
PyQt5 UI "freezes" when updating it too quickly from another thread
Browser responses with 502 containing a single 'date' header
python statsmodels ARIMA plot_predict: How to get the data predicted?
How to add time to date time?
Two Scrolls Appearing on primeng table page
How is a unique_ptr unique?
Unexpected token '?' discord.js
How I can I convert timezones in Perl?
How can I change the timezone of a datetime value in Perl?