Date and Time
relative_time(X, Y, Z)
This function takes three arguments: a UNIX time X, a relative time modifier Y, and a timezone Z, and returns the UNIX time value of Y applied to X rounded according to Z.
Because of the way that timezones are snapped, you must specify a timezone to determine how your time gets rounded down. For example, if your UNIX time corresponds to Monday 10pm PST and Tuesday 1am EST, then specifying a timezone allows you to select an accurate date that you want to round down to. If you do not want to round to a specific time zone, you can set the timezone field to null. For more information on snap-to-time and examples of relative time modifiers, see specify time modifiers in your search. Use this scalar function with the eval
or the filter
streaming functions.
- Function Input
- time: long
- modifier: string
- time-zone: string
- Function Output
- long
SPL2 example
The following example determines the UNIX time value of the start of the hour, based on the value of timestamp, rounded down to the GMT time zone.
...| eval n=relative_time(timestamp, "-1h@h", "GMT-0700");
strftime(X, Y, Z)
This function formats a UNIX timestamp into a human-readable timestamp. This function takes three arguments: a UNIX time X, a time-format Y, and a timezone Z, and returns X using the format specified by Y in timezone Z. The UNIX time must be in milliseconds. Use the first 13 digits of a UNIX time to use the time in milliseconds. If timezone is set to null
, then UTC
is used.
Use these common data and time format variables to specify the time-format Y that you want X to be formatted to.
The following time variables are not supported: %c, %+, %Ez, %X, %x, %w, %s.
Arguments
- Function Input
- time: long
- format: string
- time-zone: string
- Function Output
- long
SPL2 example
Returns the hour, minute, and seconds from the timestamp
field in timezone UTC. If the timestamp field value is 1586541874588, then the value returned in the formatted_time field is 18:04:34.
...| eval formatted_time=strftime(timestamp, "%H:%M:%S", "null");
strptime(X,Y,Z)
This function parses a date string into a UNIX timestamp. This function takes three arguments: a timestamp X, a time format Y, and a timezone Z. If timezone is set to null
, then UTC
is used. Use this scalar function with the eval
or the filter
streaming functions.
- Function Input
- timestamp: string
- format: string
- time-zone: string
- Function Output
- long
The following time variables are not supported: %c, %+, %Ez, %X, %x, %w, %s.
For example, if string X is 2018-08-13 11:22:33
, the format Y must be %Y-%m-%dT%H:%M:%S
.
String time | Matching time format variables | Example time zone |
---|---|---|
Mon July 23 2018 17:19:01.89
|
%a %B %d %Y %H:%M:%S.%N
|
EST |
Mon 7/23/2018 17:19:01.89
|
%a %m/%d/%Y %H:%M:%S.%N
|
America/New York |
2018/07/23 17:19:01.89
|
%Y/%m/%d %H:%M:%S.%N
|
-5:00 |
2018-07-23T17:19:01.89
|
%Y-%m-%dT%H:%M:%S.%N
|
GMT-0500 |
SPL2 example
Returns 1545760232000 as type long.
...| eval n=strptime("2018-12-25T17:50:32", "%Y-%m-%dT%H:%M:%S", "UTC");
time()
This function returns the wall-clock time, in the UNIX time format, with millisecond resolution. Use this scalar function with the eval
or the filter
streaming functions.
- Function Input
- null
- Function Output
- long
SPL2 example
Create a new top-level field called testtime
and return the UNIX time at the instant the result was processed by the eval function.
...| eval testtime=time();
Cryptographic | Iterator |
This documentation applies to the following versions of Splunk® Data Stream Processor: 1.1.0
Feedback submitted, thanks!