topic Re: reformat date, timestamp in Getting Data In

reformat date, timestamp

efelder0 — Wed, 04 Jan 2012 15:38:16 GMT

I am trying to reformat a date/time stamp field from within my output.

Here is the current format: 21:32:31-Dec 08 2011

New format: 12/08/2011 21:32:31 AM/PM

thanks.

Re: reformat date, timestamp

lguinn2 — Wed, 04 Jan 2012 16:10:46 GMT

Does Splunk recognize this as a timestamp? For my answer below, I will assume that Splunk extracted the date into the _time field. An easy way to do this is to create a new field with eval:

<yoursearchhere> | eval formattedTime = strftime(_time, "%D %r") | table formattedTime <otherfieldshere>

Once you have created the new field, you can use it however you like; I just supplied the table command as an example. Google "strftime" for more formatting options.
If the datetime is contained in a different field, substitute that field name for _time. If Splunk didn't extract the field for you, post a bit more of the event (showing the timestamp in context) and someone will be able to help you extract it.

Re: reformat date, timestamp

dwaddle — Wed, 04 Jan 2012 16:11:25 GMT

Convert it to an intermediate time_t and back again, using eval's strptime and strftime functions. Something like:

blah blah blah | eval myfield=strftime(strptime(myfield,"%H:%M:S-%b %d %Y"),"%M/%D/%Y %I:%M:%S %P"))