https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27376#M4606 <P>I believe that you'll have to make a two stage operation, first convert your input format to <CODE>epoch</CODE>, and the convert it to your desired format.</P> <PRE><CODE>... | eval epochtime=strptime(your_current_time_field, "%b %d %H:%M:%S")| eval desired_time=strftime(epochtime, "%d/%m/%Y %I:%M:%S %p") </CODE></PRE> <P>However, since the data coming in has no year specification, I'm not sure that you would get usable results. It may be that you'll have to make changes to the logging application so that the full date is being logged.</P> <P>For information regarding <CODE>strftime</CODE> and <CODE>strptime</CODE>, see;</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonEvalFunctions</A><BR /> <A href="http://strftime.org">http://strftime.org</A></P> <HR /> <P>UPDATE:</P> <P>Ah, ziegfried has an important point. If Splunk has read your timestamp (without the year) and parsed and indexed it correctly (you can compare the the timestamps in the events with the timestamp next to the blue down-arrow-thingy to the left of the event), then you can skip the first part and use the <CODE>_time</CODE> field, which is already in <CODE>epoch</CODE>.</P> <PRE><CODE>...| eval desired_time=strftime(_time, "%d/%m/%Y %I:%M:%S %p") </CODE></PRE> <P>Hope this helps somewhat anyway,</P> <P>Kristian</P> Mon, 16 Apr 2012 10:49:45 GMT kristian_kolb 2012-04-16T10:49:45Z https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27374#M4604 <P>Hi ,</P> <P>In splunk query i need to convert time format as below .</P> <P>Current format - Apr 13 17:58:35</P> <P>Required Format : 04/13/2012 5:58:35 PM</P> Mon, 16 Apr 2012 10:23:52 GMT https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27374#M4604 Ravan 2012-04-16T10:23:52Z https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27375#M4605 <P>Is it the timestamp, that is recognized by Splunk or do you have an extracted field with this value?</P> Mon, 16 Apr 2012 10:47:48 GMT https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27375#M4605 ziegfried 2012-04-16T10:47:48Z https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27376#M4606 <P>I believe that you'll have to make a two stage operation, first convert your input format to <CODE>epoch</CODE>, and the convert it to your desired format.</P> <PRE><CODE>... | eval epochtime=strptime(your_current_time_field, "%b %d %H:%M:%S")| eval desired_time=strftime(epochtime, "%d/%m/%Y %I:%M:%S %p") </CODE></PRE> <P>However, since the data coming in has no year specification, I'm not sure that you would get usable results. It may be that you'll have to make changes to the logging application so that the full date is being logged.</P> <P>For information regarding <CODE>strftime</CODE> and <CODE>strptime</CODE>, see;</P> <P><A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonEvalFunctions">http://docs.splunk.com/Documentation/Splunk/4.3.1/SearchReference/CommonEvalFunctions</A><BR /> <A href="http://strftime.org">http://strftime.org</A></P> <HR /> <P>UPDATE:</P> <P>Ah, ziegfried has an important point. If Splunk has read your timestamp (without the year) and parsed and indexed it correctly (you can compare the the timestamps in the events with the timestamp next to the blue down-arrow-thingy to the left of the event), then you can skip the first part and use the <CODE>_time</CODE> field, which is already in <CODE>epoch</CODE>.</P> <PRE><CODE>...| eval desired_time=strftime(_time, "%d/%m/%Y %I:%M:%S %p") </CODE></PRE> <P>Hope this helps somewhat anyway,</P> <P>Kristian</P> Mon, 16 Apr 2012 10:49:45 GMT https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27376#M4606 kristian_kolb 2012-04-16T10:49:45Z https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27377#M4607 <P>Here is how to create a new field by parsing and formatting a date value using Splunk's eval command:</P> <PRE><CODE>... | eval newdatefield = strftime( strptime( myolddatefield, "%b %d %H:%M:%S" ), "%m/%d/%Y %I:%M:%S %p") </CODE></PRE> <UL> <LI>use <CODE>strptime()</CODE> to parse a timestamp value</LI> <LI>use <CODE>strftime()</CODE>to format a timestamp value</LI> </UL> Mon, 16 Apr 2012 11:01:58 GMT https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27377#M4607 ziegfried 2012-04-16T11:01:58Z https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27378#M4608 <P>Cool , its working great. Thanks</P> Mon, 16 Apr 2012 12:35:59 GMT https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27378#M4608 Ravan 2012-04-16T12:35:59Z https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27379#M4609 <P>Hi,</P> <P>I used it for my purposes and it worked.<BR /> Thank you very much!</P> <P>Skender Kollcaku</P> Tue, 30 Jun 2015 15:32:39 GMT https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/27379#M4609 skender27 2015-06-30T15:32:39Z https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/579302#M102273 <P>the docs link seems to be broken,.. hence replying link again..</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/CommonEvalFunctions" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/CommonEvalFunctions</A></P><P>&nbsp;</P><P>strftime's "Date and time format variables" docs link...</P><P><A href="https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Commontimeformatvariables" target="_blank">https://docs.splunk.com/Documentation/Splunk/8.2.4/SearchReference/Commontimeformatvariables</A></P><P>&nbsp;</P> Mon, 27 Dec 2021 12:06:26 GMT https://community.splunk.com/t5/Getting-Data-In/convert-time-format/m-p/579302#M102273 inventsekar 2021-12-27T12:06:26Z