topic How convert time format in Splunk Enterprise

How convert time format

Nraj87 — Sun, 16 Mar 2025 16:59:20 GMT

Hi ,

How to convert 2025-03-13T11:03:38Z to the "%d/%m/%Y %I:%M:%S ".

I have tried this, but it didn't work.

| eval Lastevent=strftime(last_seen, "%d/%m/%Y %I:%M:%S %p")

Re: How convert time format

ITWhisperer — Mon, 17 Mar 2025 13:04:17 GMT

Is last_seen a string? If so, try parsing it to convert it to an epoch time before formatting the result back to a different string.

| eval Lastevent=strftime(strptime(last_seen, "%FT%T%Z"), "%d/%m/%Y %I:%M:%S %p")

Re: How convert time format

kiran_panchavat — Mon, 17 Mar 2025 12:24:04 GMT

@Nraj87

| makeresults 
| eval last_seen = "2025-03-13T11:03:38Z" 
| eval Lastevent = strftime(strptime(last_seen, "%Y-%m-%dT%H:%M:%SZ"), "%d/%m/%Y %I:%M:%S %p")

Re: How convert time format

livehybrid — Mon, 17 Mar 2025 13:33:01 GMT

Hi @Nraj87

Check out the following, using makeresults to create a sample event:

| makeresults count=1
| fields - _time
| eval last_seen="2025-03-13T11:03:38Z" 
| eval Lastevent=strftime(strptime(last_seen, "%Y-%m-%dT%H:%M:%SZ"), "%d/%m/%Y %I:%M:%S %p")

The reason your original command didn't work is because:

You need to first parse the input format using strptime
Then convert it to your desired format using strftime

The strptime function tells Splunk how to read the input date format, similarly to the strftime

%Y: Full 4 digit Year with century (2025)
%m: Month (03)
%d: Day (13)
T: Literal 'T'
%H: Hour in 24-hour format (11)
%M: Minute (03)
%S: Second (38)
Z: Literal 'Z' for UTC timezone

If you want to include AM/PM, keep the %p in the output format. If you don't need it, you can remove it - although you may wish to use %H to return 24hour format instead of %I for 12 hour format.

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will