Date and Time functions - Splunk Documentation (2024)

Table of Contents
now() Description Usage Basic example Extended example relative_time(<time>,<specifier>) Description Usage Basic examples strftime(<time>,<format>) Description Usage Basic examples Extended example strptime(<str>,<format>) Description Usage Basic example Extended example time() Description Usage Basic example FAQs

The following list contains the functions that you can use to calculate dates and time.

For information about using string and numeric fields in functions, and nesting functions, see Evaluation functions.

In addition to the functions listed in this topic, there are also variables and modifiers that you can use in searches.

  • Date and time format variables
  • Time modifiers

now()

Description

This function takes no arguments and returns the time that the search was started.

Usage

The now() function is often used with other data and time functions.

The time returned by the now() function is represented in UNIX time, or in seconds since Epoch time.

When used in a search, this function returns the UNIX time when the search is run. If you want to return the UNIX time when each result is returned, use the time() function instead.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic example

The following example determines the UNIX time value of the start of yesterday, based on the value of now(). This example uses a "snap-to" time modifier to snap to the the start of the day. See How to specify relative time modifiers.

... | eval n=relative_time(now(), "-1d@d")

Extended example

If you are looking for events that occurred within the last 30 minutes you need to calculate the event hour, event minute, the current hour, and the current minute. You use the now() function to calculate the current hour (curHour) and current minute (curMin). The event timestamp, in the _time field, is used to calculate the event hour (eventHour) and event minute (eventMin). For example:

... earliest=-30d | eval eventHour=strftime(_time,"%H") | eval eventMin=strftime(_time,"%M") | eval curHour=strftime(now(),"%H") | eval curMin=strftime(now(),"%M") | where (eventHour=curHour and eventMin > curMin - 30) or (curMin < 30 and eventHour=curHour-1 and eventMin>curMin+30) | bucket _time span=1d | chart count by _time

relative_time(<time>,<specifier>)

Description

This function takes a UNIX time as the first argument and a relative time specifier as the second argument and returns the UNIX time value of <specifier> applied to <time>.

See Also
geostats - Splunk Documentationคำถามและคำตอบสัมภาษณ์ Splunk 100 อันดับแรก (2024)A 100 legnépszerűbb Splunk interjú kérdés és válasz (2024)eventstats - Splunk Documentation

Usage

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example determines the UNIX time value of the start of yesterday, based on the value of now(). This example uses a "snap-to" time modifier to snap to the the start of the day. See How to specify relative time modifiers.

... | eval n=relative_time(now(), "-1d@d")


The following example specifies an earliest time of 2 hours ago snapped to the hour and a latest time of 1 hour ago snapped to the hour. The offset -2h is processed first, followed by the snap-to time @h.

... | where _time>relative_time(now(), "-2h@h") AND _time<relative_time(now(), "-1h@h")

strftime(<time>,<format>)

Description

This function takes a UNIX time value as the first argument and renders the time as a string using the format specified. The UNIX time must be in seconds. Use the first 10 digits of a UNIX time to use the time in seconds.

Usage

If the time is in milliseconds, microseconds, or nanoseconds you must convert the time into seconds. You can use the pow function to convert the number.

  • To convert from milliseconds to seconds, divide the number by 1000 or 10^3.
  • To convert from microseconds to seconds, divide the number by 10^6.
  • To convert from nanoseconds to seconds, divide the number by 10^9.

The following search uses the pow function to convert from nanoseconds to seconds:

| makeresults | eval StartTimestamp="1521467703049000000"| eval starttime=strftime(StartTimestamp/pow(10,9),"%Y-%m-%dT%H:%M:%S.%Q")

The results appear on the Statistics tab and look like this:

StartTimeStamp_timestarttime
15214677030490000002018-08-10 09:04:002018-03-19T06:55:03.049

In these results the _time value is the date and time when the search was run.

For a list and descriptions of format options, see Date and time format variables.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic examples

The following example returns the hour and minute from the _time field.

...| eval hour_min=strftime(_time, "%H:%M")

If the _time field value is 2022-08-10 11:48:23, the value returned in the hour_min field is 11:48.

See Also
Unlock Real-Time Insights with Splunk App for Streaming Data


The following example creates a new field called starttime in your search results. For the strftimevalues, the now() function is used to generate the current UNIX time and date and time variables are used to specify the ISO 8601 timestamp format;

...| eval starttime=strftime(now(),"%Y-%m-%dT%H:%M:%S.%Q")

The results look something like this:

_starttime
2022-02-11T01:55:00.000

For more information about date and time variables, see Date and time format variables.

Extended example

The following example creates a single result using the makeresults command.

| makeresults

For example:

_time
2022-08-14 14:00:15

The _time field is stored in UNIX time, even though it displays in a human readable format. To convert the UNIX time to some other format, you use the strftime function with the date and time format variables. The variables must be in quotations marks.

For example, to return the week of the year that an event occurred in, use the %V variable.

| makeresults | eval week=strftime(_time,"%V")

The results show that August 14th occurred in week 33.

_timeweek
2022-08-14 14:00:1533

To return the date and time with subseconds and the time designator (the letter T) that precedes the time components of the format, use the %Y-%m-%dT%H:%M:%S.%Q variables. For example:

| makeresults | eval mytime=strftime(_time,"%Y-%m-%dT%H:%M:%S.%Q")

The results are:

_timemytime
2022-08-14 14:00:152022-08-14T14:00:15.000

strptime(<str>,<format>)

Description

This function takes a time represented by a string and parses the time into a UNIX timestamp format. You use date and time variables to specify the format that matches string. The strptime function doesn't work with timestamps that consist of only a month and year. The timestamps must include a day.

For example, if string X is 2022-08-13 11:22:33, the format Y must be %Y-%m-%d%H:%M:%S . The string X date must be January 1, 1971 or later. The strptime function takes any date from January 1, 1971 or later, and calculates the UNIX time, in seconds, from January 1, 1970 to the date you provide.

The _time field is in UNIX time. In Splunk Web, the _time field appears in a human readable format in the UI but is stored in UNIX time. If you attempt to use the strptime function on the _time field, no action is performed on the values in the field.

Usage

With the strptime function, you must specify the time format of the string so that the function can convert the string time into the correct UNIX time. The following table shows some examples:

String timeMatching time format variables
Mon July 23 2022 17:19:01.89%a%B%d%Y%H:%M:%S.%N
Mon 7/23/2022 17:19:01.89%a%m/%d/%Y%H:%M:%S.%N
2022/07/23 17:19:01.89%Y/%m/%d%H:%M:%S.%N
2022-07-23T17:19:01.89%Y-%m-%dT%H:%M:%S.%N

For a list and descriptions of format options, see Date and time format variables.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic example

If the values in the timeStr field are hours and minutes, such as 11:59, the following example returns the time as a timestamp:

... | eval n=strptime(timeStr, "%H:%M")

Extended example

This example shows the results of using the strptime function. The following search does several things:

  • The gentimes command generates a set of times with 6 hour intervals. This command returns four fields: startime, starthuman, endtime, and endhuman.
  • The fields command returns only the starthuman and endhuman fields.
  • The eval command takes the string time values in the starthuman field and returns the UNIX time that corresponds to the string time values.

| gentimes start=8/13/18 increment=6h | fields starthuman endhuman| eval startunix=strptime(starthuman,"%a%B%d%H:%M:%S.%N%Y")

The results appear on the Statistics tab and look something like this:

starthumanendhumanstartunix
Mon Aug 13 00:00:00 2018Mon Aug 13 05:59:59 20181534143600.000000
Mon Aug 13 06:00:00 2018Mon Aug 13 11:59:59 20181534165200.000000
Mon Aug 13 12:00:00 2018Mon Aug 13 17:59:59 20181534186800.000000
Mon Aug 13 18:00:00 2018Mon Aug 13 23:59:59 20181534208400.000000
Tue Aug 14 00:00:00 2018Tue Aug 14 05:59:59 20181534230000.000000
Tue Aug 14 06:00:00 2018Tue Aug 14 11:59:59 20181534251600.000000
Tue Aug 14 12:00:00 2018Tue Aug 14 17:59:59 20181534273200.000000
Tue Aug 14 18:00:00 2018Tue Aug 14 23:59:59 20181534294800.000000

time()

Description

This function returns the wall-clock time, in the UNIX time format, with microsecond resolution.

Usage

The value of the time() function will be different for each event, based on when that event was processed by the eval command.

You can use this function with the eval, fieldformat, and where commands, and as part of eval expressions.

Basic example

This example shows the results of using the time() function. The following search does several things"

  • The gentimes command generates a set of times with 6 hour intervals. This command returns four fields: startime, starthuman, endtime, and endhuman.
  • The fields command returns only the startime and starthuman fields.
  • The first eval command takes the numbers in the startime field and returns them with microseconds included.
  • The second eval command creates the testtime field and returns the UNIX time at the instant the result was processed by the eval command.

| gentimes start=8/13/18 increment=6h | fields starttime starthuman| eval epoch_time=strptime(starttime,"%s") | eval testtime=time()

The results appear on the Statistics tab and look something like this:

starttimestarthumanepoch_timetesttime
1534143600Mon Aug 13 00:00:00 20181534143600.0000001534376565.299298
1534165200Mon Aug 13 06:00:00 20181534165200.0000001534376565.299300
1534186800Mon Aug 13 12:00:00 20181534186800.0000001534376565.299302
1534208400Mon Aug 13 18:00:00 20181534208400.0000001534376565.299304
1534230000Tue Aug 14 00:00:00 20181534230000.0000001534376565.299305
1534251600Tue Aug 14 06:00:00 20181534251600.0000001534376565.299306
1534273200Tue Aug 14 12:00:00 20181534273200.0000001534376565.299308
1534294800Tue Aug 14 18:00:00 20181534294800.0000001534376565.299309

Notice the difference in the microseconds between the values in the epoch_time and test_time fields. You can see that the test_time values increase with each result.

Date and Time functions - Splunk Documentation (2024)

FAQs

What format does Splunk use for data time? ›

Time variables
VariableDescription
%TThe time in 24-hour notation (%H:%M:%S). For example 23:59:59.
%XThe time in the format for the current locale. For US English the format for 9:30 AM is 9:30:00 .
%ZThe timezone abbreviation. For example EST for US Eastern Standard Time.
12 more rows

Discover More
How does Splunk determine timestamp? ›

Splunk software adds timestamps to events at index time. It assigns timestamp values automatically by using information that it finds in the raw event data. If there is no explicit timestamp in an event, Splunk software attempts to assign a timestamp value through other means.

Continue Reading
How do you specify dates in Splunk? ›

To search for data using an exact date range, such as from October 15 at 8 PM to October 22 at 8 PM, use the timeformat %m/%d/%Y:%H:%M:%S and specify dates like earliest="10/15/2019:20:00:00" latest="10/22/2019:20:00:00" To search for data from the beginning of today (12 AM or midnight) use earliest=@d .

Get More Info
What is the difference between Strptime and Strftime in Splunk? ›

Understanding the Splunk strptime Command

Where strftime takes a UNIX time and converts it to human-readable format, strptime does the exact opposite. Strptime takes human-readable timestamps in your data and converts them to UNIX time.

Read More
What is the difference between time and timestamp in Splunk? ›

Timestamps are stored in UNIX time

Regardless of how time is specified in your events, timestamps are converted to UNIX time and stored in the _time field when your data is indexed. If your data does not have timestamps, the time at which your data is indexed is used as the timestamp for your events.

Tell Me More
What is the data type of datetime timestamp? ›

The DATETIME type is used for values that contain both date and time parts. MySQL retrieves and displays DATETIME values in ' YYYY-MM-DD hh:mm:ss ' format. The supported range is '1000-01-01 00:00:00' to '9999-12-31 23:59:59' . The TIMESTAMP data type is used for values that contain both date and time parts.

Discover More
What is the best practice for Splunk time zone? ›

As a best practice, set all the servers in your Splunk deployment infrastructure to the UTC time zone, even if the servers reside in different physical time zones. All the servers in your infrastructure will show the same time, so it can't be confused with the local time of the observer.

Get More Info
What is the difference between time and index time in Splunk? ›

_time = is the event time (the time which is present in the event. In other words: the time when the event was generated. _indextime = is the index time or, if you prefer, the time when the events have been indexed.

Explore More
What is the relative time function in Splunk? ›

Splunk's relative_time function takes in a value of start time and duration and returns a relative time value of time in epoch. An epoch is a numeric value representing time in seconds. You can convert between epoch and human readable time using other Splunk time functions such as strftime and strptime.

Read The Full Story
How do I change the date format in Splunk? ›

You need to force splunk to use a locale that has the date format you want. In your case probably en_GB. Quickfix: You can override the locale in the url - e.g. https://splunk/en-GB/app/search/... Better fix: The default locale is specified by the browser - e.g. in prioritised order in chrome://settings/languages.

Read The Full Story

How to give time in Splunk? ›

The now() function is often used with other data and time functions. The time returned by the now() function is represented in UNIX time, or in seconds since Epoch time.

See Details
How to show time in Splunk table? ›

if instead you need to display _time as a field, you can put it in the stats options, using some function:
  1. values(to have all the distinct values of _time,
  2. earliest to have the first value,
  3. latest to have the latest value.
Feb 17, 2022

See Details
What is _time in Splunk? ›

When an event is processed by Splunk software, its timestamp is saved as the default field _time . This timestamp, which is the time when the event occurred, is saved in UNIX time notation.

Learn More
What is the strftime date function? ›

Using the strftime method and the "%Y" character, the date is converted to a string showing the year. Using the fromisoformat of the datetime object, you can pass a full date string, so that you can get a date object for that string. %Y is for the full year (2022) and %b is for the short version of the month (Jul).

Read The Full Story
What is datetime strptime for date? ›

The `strptime()` function in the Python DateTime module is used to parse a string representing a date and time and convert it into a DateTime object. It takes two arguments: the string to be parsed and the format of the string.

Keep Reading
What is the format of data timestamp? ›

Timestamp data must be in the form YYYY-MM-DD-hh-mm, optionally followed by 1 to 12 fractional seconds.

Read On
What format does Splunk use? ›

Packaging and naming
Acceptance CriteriaDescription
File formatThe file uses tarball format with one of the following extensions: .tar.gz, .tgz, or .spl. If there are any other compressed archives within the release that need extracting, explain in release notes.
8 more rows

View More
What is the format for milliseconds in Splunk? ›

Use TIME_FORMAT = %s%3N to tell Splunk the timestamp is in epoch form with milliseconds.

Find Out More
What is the default format for time data type? ›

The default format for the TIME data type is HH24:MI:SS. HH24 represents the hour from 0 to 24, MI represents the minute from 0 to 59, and SS represents the second from 0 to 59. The SECONDDATE data type consists of year, month, day, hour, minute and second information to represent a date with a time value.

View More
Top Articles
Remembering the life of Louis Sarich
What Is "r4r" on Reddit? | ITGeared
Rosy Boa Snake — Turtle Bay
Ron Martin Realty Cam
Skyward Sinton
Part time Jobs in El Paso; Texas that pay $15, $25, $30, $40, $50, $60 an hour online
Kobold Beast Tribe Guide and Rewards
Tx Rrc Drilling Permit Query
Www Thechristhospital Billpay
How to Watch Braves vs. Dodgers: TV Channel & Live Stream - September 15
My.doculivery.com/Crowncork
Fire Rescue 1 Login
Hope Swinimer Net Worth
Nier Automata Chapter Select Unlock
Gas Station Drive Thru Car Wash Near Me
272482061
Conan Exiles Colored Crystal
Moviesda3.Com
Download Center | Habasit
Jenn Pellegrino Photos
Khiara Keating: Manchester City and England goalkeeper convinced WSL silverware is on the horizon
Sadie Proposal Ideas
Daylight Matt And Kim Lyrics
Axe Throwing Milford Nh
Trivago Sf
Sussur Bloom locations and uses in Baldur's Gate 3
Aspenx2 Newburyport
Suspiciouswetspot
Turbo Tenant Renter Login
6892697335
27 Modern Dining Room Ideas You'll Want to Try ASAP
Cor Triatriatum: Background, Pathophysiology, Epidemiology
Trinket Of Advanced Weaponry
Syracuse Jr High Home Page
R3Vlimited Forum
Wasmo Link Telegram
Ourhotwifes
Plato's Closet Mansfield Ohio
Breckie Hill Fapello
Nsu Occupational Therapy Prerequisites
Pill 44615 Orange
W B Crumel Funeral Home Obituaries
11 Pm Pst
Bernie Platt, former Cherry Hill mayor and funeral home magnate, has died at 90
Atlanta Musicians Craigslist
20 bank M&A deals with the largest target asset volume in 2023
Union Corners Obgyn
Nid Lcms
Nope 123Movies Full
Stoughton Commuter Rail Schedule
Skyward Login Wylie Isd
One Facing Life Maybe Crossword
Latest Posts
Daily Fun Facts For Adults
166.5 Cm In Feet
Article information

Author: Melvina Ondricka

Last Updated:

Views: 6481

Rating: 4.8 / 5 (68 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Melvina Ondricka

Birthday: 2000-12-23

Address: Suite 382 139 Shaniqua Locks, Paulaborough, UT 90498

Phone: +636383657021

Job: Dynamic Government Specialist

Hobby: Kite flying, Watching movies, Knitting, Model building, Reading, Wood carving, Paintball

Introduction: My name is Melvina Ondricka, I am a helpful, fancy, friendly, innocent, outstanding, courageous, thoughtful person who loves writing and wants to share my knowledge and understanding with you.