Splunk® Data Stream Processor

Function Reference

On April 3, 2023, Splunk Data Stream Processor will reach its end of sale, and will reach its end of life on February 28, 2025. If you are an existing DSP customer, please reach out to your account team for more information.
This documentation does not apply to the most recent version of Splunk® Data Stream Processor. For documentation on the most recent version, go to the latest release.

Date and Time

relative_time(X, Y, Z)

This function takes three arguments: a UNIX time X, a relative time modifier Y, and a timezone Z, and returns the UNIX time value of Y applied to X rounded according to Z.

Because of the way that timezones are snapped, you must specify a timezone to determine how your time gets rounded down. For example, if your UNIX time corresponds to Monday 10pm PST and Tuesday 1am EST, then specifying a timezone allows you to select an accurate date that you want to round down to. If you do not want to round to a specific time zone, you can set the timezone field to null. For more information on snap-to-time and examples of relative time modifiers, see specify time modifiers in your search. Use this scalar function with the eval or the filter streaming functions.

Function Input
time: long
modifier: string
time-zone: string
Function Output
long

DSL example

Returns 1551600000. 

relative_time(1555547674, "-1h@h", "GMT-0700");

strftime(X, Y, Z)

This function formats a UNIX timestamp into a human-readable timestamp. This function takes three arguments: a UNIX time X, a time-format Y, and a timezone Z, and returns X using the format specified by Y in timezone Z. The UNIX time must be in milliseconds. Use the first 13 digits of a UNIX time to use the time in milliseconds. If timezone is set to null, then UTC is used.

Use these common data and time format variables to specify the time-format Y that you want X to be formatted to.

The following time variables are not supported: %c, %+, %Ez, %X, %x, %w, %s.

Arguments

Function Input
time: long
format: string
time-zone: string
Function Output
long

DSL example

Returns 2018-12-25T18:50:32. 

strftime(1545760232000L, "%Y-%m-%dT%H:%M:%S", "+01:00")

strptime(X,Y,Z)

This function parses a date string into a UNIX timestamp. This function takes three arguments: a timestamp X, a time format Y, and a timezone Z. If timezone is set to null, then UTC is used. Use this scalar function with the eval or the filter streaming functions.

Function Input
timestamp: string
format: string
time-zone: string
Function Output
long

The following time variables are not supported: %c, %+, %Ez, %X, %x, %w, %s.

For example, if string X is 2018-08-13 11:22:33, the format Y must be %Y-%m-%dT%H:%M:%S.

String time Matching time format variables Example time zone
Mon July 23 2018 17:19:01.89 %a %B %d %Y %H:%M:%S.%N EST
Mon 7/23/2018 17:19:01.89 %a %m/%d/%Y %H:%M:%S.%N America/New York
2018/07/23 17:19:01.89 %Y/%m/%d %H:%M:%S.%N -5:00
2018-07-23T17:19:01.89 %Y-%m-%dT%H:%M:%S.%N GMT-0500

DSL example

Returns 1545760232000 as type long. 

strptime("2018-12-25T17:50:32", "%Y-%m-%dT%H:%M:%S", "UTC");

time()

This function returns the wall-clock time, in the UNIX time format, with millisecond resolution. Use this scalar function with the eval or the filter streaming functions.

Function Input
null
Function Output
long

DSL example

Returns the UNIX time exactly when the record was processed by the selected function. 

time();
Last modified on 02 January, 2020
Cryptographic   Mathematical

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters