https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353539#M104640 <P>Just to add to this....I want the value to be numeric so I can sort it.</P> Thu, 21 Sep 2017 14:43:40 GMT AJNZAZ 2017-09-21T14:43:40Z https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353538#M104639 <P>I have two fields START and END that are tagged as strings. The two fields always carry a value in the format dd-[3-letter MONTH-yyyy. As an example:</P> <P>START=07-SEP-2017 <BR /> END=11-NOV-2045</P> <P>I have gone through and applied solutions provided in previous posts to no avail. I have tried using regex or eval and strptime commands unsuccessfully while attempting to convert the date format 14-JUN-2017 to a date field. my most recent update was to use Index=* sourcetype=* | eval -START=strptime(START, %d-%b-%Y). Has anyone come across this 'specific' format and issue before?</P> Thu, 21 Sep 2017 14:41:23 GMT https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353538#M104639 AJNZAZ 2017-09-21T14:41:23Z https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353539#M104640 <P>Just to add to this....I want the value to be numeric so I can sort it.</P> Thu, 21 Sep 2017 14:43:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353539#M104640 AJNZAZ 2017-09-21T14:43:40Z https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353540#M104641 <P>There may be a syntax issue with the way you used strptime, but can't say for sure as you didn't format the query portion using code formatter (101010 button on top of the editor OR Ctrl+K after selecting text). Try like this</P> <PRE><CODE>index=yourIndex sourcetype=yourSourcetype | eval START=strptime(START,"%d-%b-%Y") | eval END=strptime(END,"%d-%b-%Y") </CODE></PRE> Thu, 21 Sep 2017 14:49:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353540#M104641 somesoni2 2017-09-21T14:49:42Z https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353541#M104642 <P>I think I figured it out. This is the syntax I used:</P> <P>index=NAME sourcetype=NAME | eval START_TIME=strftime(strptime(START, "%d-%b-%Y"), "%m/%d/%y") | | eval END_TIME=strftime(strptime(END, "%d-%b-%Y"), "%m/%d/%y")</P> Tue, 29 Sep 2020 15:54:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353541#M104642 AJNZAZ 2020-09-29T15:54:12Z https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353542#M104643 <P>Hi AJNZAZ,<BR /> could you detail your problem?<BR /> I checked strptime with your format and it runs, you can use these fields in epochtime for calculations (e.g. difference):</P> <PRE><CODE>index=_internal | head 1 | eval START="07-SEP-2017", END="11-NOV-2045", START=strptime(START,"%d-%b-%Y"), END=strptime(END,"%d-%b-%Y"), END=strptime(END,"%d-%b-%Y"), DIFF=tostring(END-START,"duration") | table START END DIFF </CODE></PRE> <P>Result is </P> <PRE><CODE>START END DIFF 1504735200.000000 2393967600.000000 10292+01:00:00.000000 </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Thu, 21 Sep 2017 14:57:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-transform-a-string-i-e-11-MAY-2017-to-a-date-field/m-p/353542#M104643 gcusello 2017-09-21T14:57:49Z