Splunk® Data Stream Processor

Function Reference

Download manual as PDF

Download topic as PDF

Date and Time

relative_time(X, Y, Z)

This function takes three arguments: a UNIX time X, a relative time modifier Y, and a timezone Z, and returns the UNIX time value of Y applied to X rounded according to Z.

Because of the way that timezones are snapped, you must specify a timezone to determine how your time gets rounded down. For example, if your UNIX time corresponds to Monday 10pm PST and Tuesday 1am EST, then specifying a timezone allows you to select an accurate date that you want to round down to. If you do not want to round to a specific time zone, you can set the timezone field to null. For more information on snap-to-time and examples of relative time modifiers, see specify time modifiers in your search. Use this scalar function with the eval or the filter streaming functions.

Function Input
time: long
modifier: string
time-zone: string
Function Output
long

SPL2 example

The following example determines the UNIX time value of the start of the hour, based on the value of timestamp, rounded down to the GMT time zone.

...| eval n=relative_time(timestamp, "-1h@h", "GMT-0700");

strftime(X, Y, Z)

This function formats a UNIX timestamp into a human-readable timestamp. This function takes three arguments: a UNIX time X, a time-format Y, and a timezone Z, and returns X using the format specified by Y in timezone Z. The UNIX time must be in milliseconds. Use the first 13 digits of a UNIX time to use the time in milliseconds. If timezone is set to null, then UTC is used.

Use these common data and time format variables to specify the time-format Y that you want X to be formatted to.

The following time variables are not supported: %c, %+, %Ez, %X, %x, %w, %s.

Arguments

Function Input
time: long
format: string
time-zone: string
Function Output
long

SPL2 example

Returns the hour, minute, and seconds from the timestamp field in timezone UTC. If the timestamp field value is 1586541874588, then the value returned in the formatted_time field is 18:04:34.

...| eval formatted_time=strftime(timestamp, "%H:%M:%S", "null");

strptime(X,Y,Z)

This function parses a date string into a UNIX timestamp. This function takes three arguments: a timestamp X, a time format Y, and a timezone Z. If timezone is set to null, then UTC is used. Use this scalar function with the eval or the filter streaming functions.

Function Input
timestamp: string
format: string
time-zone: string
Function Output
long

The following time variables are not supported: %c, %+, %Ez, %X, %x, %w, %s.

For example, if string X is 2018-08-13 11:22:33, the format Y must be %Y-%m-%dT%H:%M:%S.

String time Matching time format variables Example time zone
Mon July 23 2018 17:19:01.89 %a %B %d %Y %H:%M:%S.%N EST
Mon 7/23/2018 17:19:01.89 %a %m/%d/%Y %H:%M:%S.%N America/New York
2018/07/23 17:19:01.89 %Y/%m/%d %H:%M:%S.%N -5:00
2018-07-23T17:19:01.89 %Y-%m-%dT%H:%M:%S.%N GMT-0500

SPL2 example

Returns 1545760232000 as type long.

...| eval n=strptime("2018-12-25T17:50:32", "%Y-%m-%dT%H:%M:%S", "UTC");

time()

This function returns the wall-clock time, in the UNIX time format, with millisecond resolution. Use this scalar function with the eval or the filter streaming functions.

Function Input
null
Function Output
long

SPL2 example

Create a new top-level field called testtime and return the UNIX time at the instant the result was processed by the eval function.

...| eval testtime=time();
Last modified on 05 August, 2020
PREVIOUS
Cryptographic
  NEXT
Iterator

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters