Scribd
Upload
79 views11 pages

Time in Splunk

The document discusses timestamp and time fields in Splunk. It explains that Splunk automatically assigns timestamps and the _time field represents time information. It also provides examples of converting timestamps to different time formats using strftime functions.

Uploaded by

Karl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
79 views11 pages

Time in Splunk

The document discusses timestamp and time fields in Splunk. It explains that Splunk automatically assigns timestamps and the _time field represents time information. It also provides examples of converting timestamps to different time formats using strftime functions.

Uploaded by

Karl
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

Dealing with Time >

Timestamp

(n) A default field that represents time information in an event.


Most events contain timestamps. In cases where an event does
not contain timestamp information, Splunk Enterprise attempts
to assign a timestamp value to the event at index time.

From the Splexicon


http://docs.splunk.com/Splexicon

© Adam Frisbee, adamfrisbee.com


Dealing with Time >
The _time field

• A Splunk-generated default field that represents time.


• Timestamps are usually added automatically based on the
event raw data.
• If time and date information are not included in the event raw
data, Splunk attempts to “guess” at a timestamp.
• As a last resort, Splunk will set the timestamp to the system
time.

© Adam Frisbee, adamfrisbee.com


Dealing with Time >
Splunk uses the timestamp information for the time selector in
the search bar.

© Adam Frisbee, adamfrisbee.com


Dealing with Time >
Time Conversion

• Time can be converted from Splunk’s default to a format of


your choice using the strftime() eval function

| eval time=strftime(_time, “%H:%M”)

06:34

© Adam Frisbee, adamfrisbee.com


Dealing with Time >
Time Conversion

Time variable Description


%H Hour (24 hour clock)
%I Hour (12 hour clock)
%M Minute
%S Second
%p AM or PM

© Adam Frisbee, adamfrisbee.com


Dealing with Time >
Date Conversion
Time variable Description
%A Full day name
%d Day of the month (01 – 31)
%e Day of the month without leading zero (1 – 31)
%B Full month name (January)
%b Abbreviated month name (Jan)
%m Month as a number (01 – 12)
%Y Four digit year (2017)
%y Two digit year (17)

© Adam Frisbee, adamfrisbee.com


Dealing with Time >
Time Conversion for 1:07:32 p.m.

String Timestamp
%I:%M %p 1:07 PM
%H:%M 13:07
%H:%M:S 1:07:32
%S 32
%p PM

© Adam Frisbee, adamfrisbee.com


Dealing with Time >
Time Conversion for January 20, 2017 1:07:32 p.m.

String Timestamp
%d %B %Y %I:%M %p 20 January 2017 1:07 PM
%H:%M %b %y 13:07 Jan 17
%y%Y%y%Y 172017172017

© Adam Frisbee, adamfrisbee.com


Demo: Time
© Adam Frisbee, adamfrisbee.com, image credit: Jack Moreh/Freerange Stock
Dealing with Time >
Review

• _time is a Splunk-generated default field that represents time.


• Timestamps are usually added automatically based on the
event raw data.
• Time data is used for the time picket in the web GUI.
• You can force your own time format using variables that begin
with %.

© Adam Frisbee, adamfrisbee.com


Thanks, Splunkers!

You might also like