Splunk commands Usage: CONVERT

How to use Splunk commands Usage CONVERT?

Splunk commands usage CONVERT is like the following. This command helps in converting the field values to be numerical values. Thus, if one doesn’t stipulate AS-clause with old-value which will be written over by the new values.

Below is a skeleton of command usage “convert” at SPLUNK.

There are more arguments & convert functions that have to convert command. They include

skeleton of command usage

  • time format

This specifies output-format at time fields. Time-format option is utilized for time & time functions. Automatically the value remains “%m/%d/%Y %H:%M:%S”.

  • mktime

This converts human-readable time-format epoch-time format. One will specify time format via timeformat argument. It’s a choice of strptime()-function at eval functions.

  • Ctime

This function helps in converting an epoch-time format to a human-readable time layout. One will specify time-format through timeformat argument. Furthermore, this is an alternate option of strftime()-function at eval functions.

Below is an example of a custom “date-time-field”.

date-time-field

In a query above we’ve extracted time-portion from all events as ATIMESTAMP via interactive field-extractor.

Example One

ATIMESTAMP

Results

Explanation

The query above with ATIMESTAMP being an existing field-name of  _internal index-name & sourcetype name being splunkd_ui_access. The latest function has stats command we’ve taken the latest-value of ATIMESTAMP. Furthermore, from ATIMESTAMP-field we’ve taken the date, month & year portion using rex-command & store value in NEWTIME-field. Finally, we’ve converted NEWTIME-field values to epoch-time layout values via mktime function & store values in a new field known as “ConvertedEpochTime”. Additionally, we’ve offered time-format as “%d/%b/%Y” to date/month/year format. This takes “%m/%d/%Y %H:%M:%S” automatically.

Example two

Example 2

Outcomes

Outcomes

Explanations

In the query above _time remains an internal field-name of  _internal-index-name. The sourcetype name remains splunkd_ui_access. Moreover, _time represents event time at Splunk. The latest function which has stats command we’ve taken the latest-event time & store value in LT-field. Also, we’ve converted epoch-time to a human-readable time-format via ctime function which converts command & stores the value inside a new field known as “ConvertedEpochTime”. Moreover, the epoch-time format can be directly converted to a human readable-time format. _time field by default is in epoch-time format. We don’t specify timeformat using ctime function therefore by default ctime-function takes the form “%m/%d/%Y %H:%M:%S” as timeformat.

Example three

Example three

Outcomes

Explanation

With the query above _time remains an internal-field-name of _internal index-name & its sourcetype name remains splunkd_ui_access. Moreover, _time represents event time at Splunk. The latest feature which has stats command we’ve taken the latest-event time & stored values in LT-field. Next, we’ve changed epoch-time to a human-readable time-format by ctime-function which converts command & stores the values in a new field known as “ConvertedEpochTime”. The epoch-time format can be directly converted to a human-readable time-format because the _time field is at epoch-time format automatically. We’ve utilized “%c” with timeformat-argument to format time-field as existing locale’s Splunk time-format stated by systems OS (operating system).

Example four

Example four

Example four

Explanations

In the query above _time remains an internal-field-name of _internal index-name & the sourcetype name remains splunkd_ui_access. Furthermore, _time represents event-time at Splunk. The latest function with stats-command we’ve taken the latest event-time & stored value in LT-field. Next, we’ve changed the human readable-time format to epoch-time via mktime function that converts commands. Additionally, we’ve also taken up-to minute-value via timeformat argument as offered “%m/%d/%Y %H:%M”. This takes “%m/%d/%Y %H:%M:%S” via default. The eval command we’ve taken 20mins before epoch-time from LT. As known epoch-time is signified in seconds. Therefore getting 20mins earlier time we’ve deducted 1200secs (20*60) from LT & kept the value inside A field. Therefore LT & A fields remain in epoch-time. Moreover, we’ve changed epoch-time format to a human-readable format via ctime function & kept the values inside new fields known as “20_mins_before” & “Time”. Finally, fields command just take “Time” & “20_mins_before” the fields.

Leave a Comment