Scribd Logo
Upload

Welcome to Scribd!

  • Time in Splunk

    Uploaded by

    Karl
    36 views11 pages

    Original Title

    time in Splunk

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    36 views11 pages

    Time in Splunk

    Uploaded by

    Karl

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 11

    Dealing with Time >

    Timestamp

    (n) A default field that represents time information in an event.


    Most events contain timestamps. In cases where an event does
    not contain timestamp information, Splunk Enterprise attempts
    to assign a timestamp value to the event at index time.

    From the Splexicon


    http://docs.splunk.com/Splexicon

    © Adam Frisbee, adamfrisbee.com


    Dealing with Time >
    The _time field

    • A Splunk-generated default field that represents time.


    • Timestamps are usually added automatically based on the
    event raw data.
    • If time and date information are not included in the event raw
    data, Splunk attempts to “guess” at a timestamp.
    • As a last resort, Splunk will set the timestamp to the system
    time.

    © Adam Frisbee, adamfrisbee.com


    Dealing with Time >
    Splunk uses the timestamp information for the time selector in
    the search bar.

    © Adam Frisbee, adamfrisbee.com


    Dealing with Time >
    Time Conversion

    • Time can be converted from Splunk’s default to a format of


    your choice using the strftime() eval function

    | eval time=strftime(_time, “%H:%M”)

    06:34

    © Adam Frisbee, adamfrisbee.com


    Dealing with Time >
    Time Conversion

    Time variable Description


    %H Hour (24 hour clock)
    %I Hour (12 hour clock)
    %M Minute
    %S Second
    %p AM or PM

    © Adam Frisbee, adamfrisbee.com


    Dealing with Time >
    Date Conversion
    Time variable Description
    %A Full day name
    %d Day of the month (01 – 31)
    %e Day of the month without leading zero (1 – 31)
    %B Full month name (January)
    %b Abbreviated month name (Jan)
    %m Month as a number (01 – 12)
    %Y Four digit year (2017)
    %y Two digit year (17)

    © Adam Frisbee, adamfrisbee.com


    Dealing with Time >
    Time Conversion for 1:07:32 p.m.

    String Timestamp
    %I:%M %p 1:07 PM
    %H:%M 13:07
    %H:%M:S 1:07:32
    %S 32
    %p PM

    © Adam Frisbee, adamfrisbee.com


    Dealing with Time >
    Time Conversion for January 20, 2017 1:07:32 p.m.

    String Timestamp
    %d %B %Y %I:%M %p 20 January 2017 1:07 PM
    %H:%M %b %y 13:07 Jan 17
    %y%Y%y%Y 172017172017

    © Adam Frisbee, adamfrisbee.com


    Demo: Time
    © Adam Frisbee, adamfrisbee.com, image credit: Jack Moreh/Freerange Stock
    Dealing with Time >
    Review

    • _time is a Splunk-generated default field that represents time.


    • Timestamps are usually added automatically based on the
    event raw data.
    • Time data is used for the time picket in the web GUI.
    • You can force your own time format using variables that begin
    with %.

    © Adam Frisbee, adamfrisbee.com


    Thanks, Splunkers!

    You might also like