Splunk® Data Stream Processor

Function Reference

DSP 1.2.1 is impacted by the CVE-2021-44228 and CVE-2021-45046 security vulnerabilities from Apache Log4j. To fix these vulnerabilities, you must upgrade to DSP 1.2.4. See Upgrade the Splunk Data Stream Processor to 1.2.4 for upgrade instructions.

On October 30, 2022, all 1.2.x versions of the Splunk Data Stream Processor will reach its end of support date. See the Splunk Software Support Policy for details.

Date and Time

relative_time(time, modifier, time_zone)

This function takes three arguments: a UNIX time X, a relative time modifier Y, and a timezone Z, and returns the UNIX time value of Y applied to X rounded according to Z.

Because of the way that timezones are snapped, you must specify a timezone to determine how your time gets rounded down. For example, if your UNIX time corresponds to Monday 10pm PST and Tuesday 1am EST, then specifying a timezone allows you to select an accurate date that you want to round down to. If you do not want to round to a specific time zone, you can set the timezone field to null. For more information on snap-to-time and examples of relative time modifiers, see specify time modifiers in your search. Use this scalar function with the eval or the filter streaming functions.

Function Input
time: long
modifier: string
time_zone: string
Function Output
long

SPL2 examples

The following example determines the UNIX time value of the start of the hour, based on the value of timestamp, rounded down to the GMT time zone.

When working in the SPL View, you can write the function by using the following syntax.

...| eval n=relative_time(timestamp, "-1h@h", "GMT-0700");

Alternatively, you can use named arguments to list the arguments in any order.

...| eval n=relative_time(time_zone: "GMT-0700", time: timestamp, modifier: "-1h@h");

strftime(time, format, time_zone)

This function formats a UNIX timestamp into a human-readable timestamp. This function takes three arguments: a UNIX time X, a time-format Y, and a timezone Z, and returns X using the format specified by Y in timezone Z. The UNIX time must be in milliseconds. Use the first 13 digits of a UNIX time to use the time in milliseconds. If timezone is set to null, then UTC is used.

Use these common data and time format variables to specify the time-format Y that you want X to be formatted to.

The following time variables are not supported: %c, %+, %Ez, %X, %x, %w, %s.

Arguments

Function Input
time: long
format: string
time_zone: string
Function Output
long

SPL2 examples

Returns the hour, minute, and seconds from the timestamp field in timezone UTC. If the timestamp field value is 1586541874588, then the value returned in the formatted_time field is 18:04:34.

When working in the SPL View, you can write the function by using the following syntax.

...| eval formatted_time=strftime(timestamp, "%H:%M:%S", "null");

Alternatively, you can use named arguments to list the arguments in any order.

...| eval formatted_time=strftime(time_zone: "null", time: timestamp, format: "%H:%M:%S", );

strptime(timestamp, format, time_zone)

This function parses a date string into a UNIX timestamp. This function takes three arguments: a timestamp X, a time format Y, and a timezone Z. If timezone is set to null, then UTC is used. Use this scalar function with the eval or the filter streaming functions.

Function Input
timestamp: string
format: string
time_zone: string
Function Output
long

The following time variables are not supported: %c, %+, %Ez, %X, %x, %w, %s.

For example, if string X is 2018-08-13 11:22:33, the format Y must be %Y-%m-%dT%H:%M:%S.

String time Matching time format variables Example time zone
Mon July 23 2018 17:19:01.89 %a %B %d %Y %H:%M:%S.%N EST
Mon 7/23/2018 17:19:01.89 %a %m/%d/%Y %H:%M:%S.%N America/New York
2018/07/23 17:19:01.89 %Y/%m/%d %H:%M:%S.%N -5:00
2018-07-23T17:19:01.89 %Y-%m-%dT%H:%M:%S.%N GMT-0500

SPL2 examples

Returns 1545760232000 as type long.

When working in the SPL View, you can write the function by using the following syntax.

...| eval n=strptime("2018-12-25T17:50:32", "%Y-%m-%dT%H:%M:%S", "UTC");

Alternatively, you can use named arguments to list the arguments in any order.

...| eval n=strptime(format: "%Y-%m-%dT%H:%M:%S", timestamp: "2018-12-25T17:50:32", time_zone: "UTC");

time()

This function returns the wall-clock time, in the UNIX time format, with millisecond resolution. Use this scalar function with the eval or the filter streaming functions.

Function Input
null
Function Output
long

SPL2 example

Create a new top-level field called testtime and return the UNIX time at the instant the result was processed by the eval function.

When working in the SPL View, you can write the function by using the following syntax.

...| eval testtime=time();
Last modified on 21 April, 2021
Cryptographic   Iterator

This documentation applies to the following versions of Splunk® Data Stream Processor: 1.2.0, 1.2.1-patch02, 1.2.1, 1.2.2-patch02, 1.2.4, 1.2.5, 1.3.0, 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters