Date and Time functions
The following list contains the functions that you can use to calculate dates and time.
For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.
In addition to the functions listed in this topic, there are also variables and modifiers that you can use in searches.
now()
Description
This function takes no arguments and returns the time that the search was started.
Usage
The now() function is often used with other data and time functions.
The time returned by the now() function is represented in UNIX time, or in seconds since Epoch time.
When used in a search, this function returns the UNIX time when the search is run. If you want to return the UNIX time when each result is returned, use the time() function instead.
You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.
Basic example
The following example determines the UNIX time value of the start of yesterday, based on the value of now(). This example uses a "snap-to" time modifier to snap to the start of the day. See How to specify relative time modifiers.
... | eval n=relative_time(now(), "-1d@d")
Extended example
If you are looking for events that occurred within the last 30 minutes you need to calculate the event hour, event minute, the current hour, and the current minute. You use the now() function to calculate the current hour (curHour) and current minute (curMin). The event timestamp, in the _time field, is used to calculate the event hour (eventHour) and event minute (eventMin). For example:
... earliest=-30d
| eval eventHour=strftime(_time,"%H")
| eval eventMin=strftime(_time,"%M")
| eval curHour=strftime(now(),"%H")
| eval curMin=strftime(now(),"%M")
| where (eventHour=curHour and eventMin > curMin - 30) or
(curMin < 30 and eventHour=curHour-1 and eventMin>curMin+30)
| bucket _time span=1d
| chart count by _time
relative_time(<time>,<specifier>)
Description
This function takes a UNIX time as the first argument and a relative time specifier as the second argument and returns the UNIX time value of <specifier> applied to <time>.
Usage
You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.
Basic examples
The following example determines the UNIX time value of the start of yesterday, based on the value of now(). This example uses a "snap-to" time modifier to snap to the the start of the day. See How to specify relative time modifiers.
... | eval n=relative_time(now(), "-1d@d")
The following example specifies an earliest time of 2 hours ago snapped to the hour and a latest time of 1 hour ago snapped to the hour. The offset -2h is processed first, followed by the snap-to time @h.
... | where _time>relative_time(now(), "-2h@h") AND _time<relative_time(now(), "-1h@h")
strftime(<time>,<format>)
Description
This function takes a UNIX time value as the first argument and renders the time as a string using the format specified. The UNIX time must be in seconds. Use the first 10 digits of a UNIX time to use the time in seconds.
You can use time format variables with the strftime function. For a complete list and descriptions of the format options, see
Date and time format variables.
Usage
If the time is in milliseconds, microseconds, or nanoseconds you must convert the time into seconds. You can use the pow function to convert the number.
- To convert from milliseconds to seconds, divide the number by 1000 or 10^3.
- To convert from microseconds to seconds, divide the number by 10^6.
- To convert from nanoseconds to seconds, divide the number by 10^9.
The following search uses the pow function to convert from nanoseconds to seconds:
| makeresults | eval StartTimestamp="1521467703049000000"| eval starttime=strftime(StartTimestamp/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")
The results appear on the Statistics tab and look like this:
| StartTimeStamp | _time | starttime |
|---|---|---|
| 1521467703049000000 | 2018-08-10 09:04:00 | 2018-03-19T06:55:03.049 |
In these results, the _time value is the date and time when the search was run.
You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.
Basic examples
The following example returns the hour and minute from the _time field.
...| eval hour_min=strftime(_time, "%H:%M")
If the _time field value is 2022-08-10 11:48:23, the value returned in the hour_min field is 11:48.
The following example creates a new field called starttime in your search results. For the strftimevalues, the now() function is used to generate the current UNIX time and date and time variables are used to specify the ISO 8601 timestamp format;
...| eval starttime=strftime(now(),"%Y-%m-%dT%H:%M:%S.%Q")
The results look something like this:
| _starttime |
|---|
| 2022-02-11T01:55:00.000 |
For more information about date and time variables, see Date and time format variables.
Extended example
The following example creates a single result using the makeresults command.
| makeresults
For example:
| _time |
|---|
| 2022-08-14 14:00:15 |
The _time field is stored in UNIX time, even though it displays in a human readable format. To convert the UNIX time to some other format, you use the strftime function with the date and time format variables. The variables must be in quotations marks.
For example, to return the week of the year that an event occurred in, use the %V variable.
| makeresults | eval week=strftime(_time,"%V")
The results show that August 14th occurred in week 33.
| _time | week |
|---|---|
| 2022-08-14 14:00:15 | 33 |
To return the date and time with subseconds and the time designator (the letter T) that precedes the time components of the format, use the %Y-%m-%dT%H:%M:%S.%Q variables. For example:
| makeresults | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")
The results are:
| _time | mytime |
|---|---|
| 2022-08-14 14:00:15 | 2022-08-14T14:00:15.000 |
strptime(<str>,<format>)
Description
This function takes a time represented by a string and parses the time into a UNIX timestamp format. You use date and time variables to specify the format that matches string. For a complete list and descriptions of the variables, see Date and time format variables.
The strptime function doesn't work with timestamps that consist of only a month and year. The timestamps must include a day.
For example, if string X is 2022-08-13 11:22:33, the format Y must be %Y-%m-%d %H:%M:%S . The string X date must be January 1, 1971 or later. The strptime function takes any date from January 1, 1971 or later, and calculates the UNIX time, in seconds, from January 1, 1970 to the date you provide.
The _time field is in UNIX time. In Splunk Web, the _time field appears in a human readable format in the UI but is stored in UNIX time. If you attempt to use the strptime function on the _time field, no action is performed on the values in the field.
Usage
With the strptime function, you must specify the time format of the string so that the function can convert the string time into the correct UNIX time. The following table shows some examples:
| String time | Matching time format variables |
|---|---|
Mon July 23 2022 17:19:01.89
|
%a %B %d %Y %H:%M:%S.%N
|
Mon 7/23/2022 17:19:01.89
|
%a %m/%d/%Y %H:%M:%S.%N
|
2022/07/23 17:19:01.89
|
%Y/%m/%d %H:%M:%S.%N
|
2022-07-23T17:19:01.89
|
%Y-%m-%dT%H:%M:%S.%N
|
You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.
Basic example
If the values in the timeStr field are hours and minutes, such as 11:59, the following example returns the time as a timestamp:
... | eval n=strptime(timeStr, "%H:%M")
Extended example
This example shows the results of using the strptime function. The following search does several things:
- The
gentimescommand generates a set of times with 6 hour intervals. This command returns four fields:startime,starthuman,endtime, andendhuman. - The
fieldscommand returns only thestarthumanandendhumanfields. - The
evalcommand takes the string time values in thestarthumanfield and returns the UNIX time that corresponds to the string time values.
| gentimes start=8/13/18 increment=6h
| fields starthuman endhuman
| eval startunix=strptime(starthuman,"%a %B %d %H:%M:%S.%N %Y")
The results appear on the Statistics tab and look something like this:
| starthuman | endhuman | startunix |
|---|---|---|
| Mon Aug 13 00:00:00 2018 | Mon Aug 13 05:59:59 2018 | 1534143600.000000 |
| Mon Aug 13 06:00:00 2018 | Mon Aug 13 11:59:59 2018 | 1534165200.000000 |
| Mon Aug 13 12:00:00 2018 | Mon Aug 13 17:59:59 2018 | 1534186800.000000 |
| Mon Aug 13 18:00:00 2018 | Mon Aug 13 23:59:59 2018 | 1534208400.000000 |
| Tue Aug 14 00:00:00 2018 | Tue Aug 14 05:59:59 2018 | 1534230000.000000 |
| Tue Aug 14 06:00:00 2018 | Tue Aug 14 11:59:59 2018 | 1534251600.000000 |
| Tue Aug 14 12:00:00 2018 | Tue Aug 14 17:59:59 2018 | 1534273200.000000 |
| Tue Aug 14 18:00:00 2018 | Tue Aug 14 23:59:59 2018 | 1534294800.000000 |
time()
Description
This function returns the wall-clock time, in the UNIX time format, with microsecond resolution.
Usage
The value of the time() function will be different for each event, based on when that event was processed by the eval command.
You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.
Basic example
This example shows the results of using the time() function. The following search does several things:
- The
gentimescommand generates a set of times with 6 hour intervals. This command returns four fields:startime,starthuman,endtime, andendhuman. - The
fieldscommand returns only thestartimeandstarthumanfields. - The first
evalcommand takes the numbers in thestarttimefield and returns them with microseconds included. - The second
evalcommand creates thetesttimefield and returns the UNIX time at the instant the result was processed by theevalcommand.
| gentimes start=8/13/18 increment=6h
| fields starttime starthuman
| eval epoch_time=strptime(starttime,"%s")
| eval testtime=time()
The results appear on the Statistics tab and look something like this:
| starttime | starthuman | epoch_time | testtime |
|---|---|---|---|
| 1534143600 | Mon Aug 13 00:00:00 2018 | 1534143600.000000 | 1534376565.299298 |
| 1534165200 | Mon Aug 13 06:00:00 2018 | 1534165200.000000 | 1534376565.299300 |
| 1534186800 | Mon Aug 13 12:00:00 2018 | 1534186800.000000 | 1534376565.299302 |
| 1534208400 | Mon Aug 13 18:00:00 2018 | 1534208400.000000 | 1534376565.299304 |
| 1534230000 | Tue Aug 14 00:00:00 2018 | 1534230000.000000 | 1534376565.299305 |
| 1534251600 | Tue Aug 14 06:00:00 2018 | 1534251600.000000 | 1534376565.299306 |
| 1534273200 | Tue Aug 14 12:00:00 2018 | 1534273200.000000 | 1534376565.299308 |
| 1534294800 | Tue Aug 14 18:00:00 2018 | 1534294800.000000 | 1534376565.299309 |
Notice the difference in the microseconds between the values in the epoch_time and test_time fields. You can see that the test_time values increase with each result.
| Cryptographic functions | Informational functions |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.1.8, 9.1.9, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.2.5, 9.2.6, 9.3.0, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.0, 9.4.1, 9.4.2
Download manual
Feedback submitted, thanks!