topic Converting timestamp to date? in Getting Data In https://community.splunk.com/t5/Getting-Data-In/Converting-timestamp-to-date/m-p/159511#M32366 <P>Hello Splunk Community</P> <P>I am trying to convert a timestamp, StartTime (current format: 2014-05-09T19:11:52.5165976Z) in my log file data to a simple DD-MON-YY formatting. I have found a number of solutions in these forums, but I cannot seem to get it to work despite numerous attempts.</P> <P>My original search is: <STRONG>sourcetype="logfile" Status="*" | chart dc(UserId) by StartTime | SORT dc(UserId) desc</STRONG></P> <P>I have tried implementing the following code: <STRONG>strptime(StartTime, "%d-%b-%Y")</STRONG> but this makes the Search fail. I’ve also tried using the eval command, but still no results are returned.</P> <P>Any help would be greatly appreciated.</P> <P>Thank you,</P> <P>Mike</P> Fri, 09 May 2014 21:03:19 GMT MichaelCohen821 2014-05-09T21:03:19Z Converting timestamp to date? https://community.splunk.com/t5/Getting-Data-In/Converting-timestamp-to-date/m-p/159511#M32366 <P>Hello Splunk Community</P> <P>I am trying to convert a timestamp, StartTime (current format: 2014-05-09T19:11:52.5165976Z) in my log file data to a simple DD-MON-YY formatting. I have found a number of solutions in these forums, but I cannot seem to get it to work despite numerous attempts.</P> <P>My original search is: <STRONG>sourcetype="logfile" Status="*" | chart dc(UserId) by StartTime | SORT dc(UserId) desc</STRONG></P> <P>I have tried implementing the following code: <STRONG>strptime(StartTime, "%d-%b-%Y")</STRONG> but this makes the Search fail. I’ve also tried using the eval command, but still no results are returned.</P> <P>Any help would be greatly appreciated.</P> <P>Thank you,</P> <P>Mike</P> Fri, 09 May 2014 21:03:19 GMT https://community.splunk.com/t5/Getting-Data-In/Converting-timestamp-to-date/m-p/159511#M32366 MichaelCohen821 2014-05-09T21:03:19Z Re: Converting timestamp to date? https://community.splunk.com/t5/Getting-Data-In/Converting-timestamp-to-date/m-p/159512#M32367 <P>Hi Mike,<BR /> The timeformat looks to be simple which splunk should have read it automatically which will mean Starttime=_time(default eventtime)</P> <P>if not you need a convertion before make it to your usable format. So it would go like this</P> <PRE><CODE>|eval StartTime=strptime(StartTime, "%Y-%m-%dT%H:%M:%S")|eval StartTime=strftime(StartTime,"%d-%b-%Y") </CODE></PRE> <P>OR<BR /> |eval StartTime=strptime(StartTime, "%Y-%m-%dT%H:%M:%S")|convert timeformat="%d-%b-%Y" ctime(StartTime)</P> <P>Thanks</P> Fri, 09 May 2014 21:15:40 GMT https://community.splunk.com/t5/Getting-Data-In/Converting-timestamp-to-date/m-p/159512#M32367 linu1988 2014-05-09T21:15:40Z