topic How to convert a String date format to another date format? in Splunk Search

How to convert a String date format to another date format?

ewise1 — Wed, 28 Jun 2017 20:08:38 GMT

Hi,

I have a date that comes in as part of a string, and it looks like "Jun 28 11:50:23 2017". How can I convert this to show "Jun 28 2017 11:50:23"?

Re: How to convert a String date format to another date format?

niketn — Wed, 28 Jun 2017 20:43:58 GMT

Try the following run anywhere search

| makeresults 
| eval Time="Jun 28 11:50:23 2017"
| eval Time=strptime(Time, "%b %d %H:%M:%S %Y")
| fieldformat Time=strftime(Time,"%b %d %Y %H:%M:%S")

PS: final fieldformat command is just displaying epoch time field Time to human readable string time as per your need. You might have to use eval instead of fieldformat is you want to use String Time down the line in your Splunk Search rather than epoch time.

Re: How to convert a String date format to another date format?

cpetterborg — Wed, 28 Jun 2017 21:06:05 GMT

This will also work in your case, without using as much processing:

 | makeresults 
 | eval Time="Jun 28 11:50:23 2017"
 | rex field=Time mode=sed "s/(\w+\s\d+)\s(\d+:\d+:\d+)\s(\d+)/\\1 \\3 \\2/"

Re: How to convert a String date format to another date format?

niketn — Wed, 28 Jun 2017 21:35:55 GMT

@cpetterborg, thanks for reminding of sed, following replace should also do the trick

 | makeresults 
 | eval Time="Jun 28 11:50:23 2017"
 | eval Time=replace(Time,"(\w{3}\s\d{2})(\s\d{2}:\d{2}:\d{2})(\s\d{4})","\1\3\2")

Basically June 28 is extracted as 1st Capturing group 11:50:23 as 2nd and 2017 as 3rd. Then replace is used to format them in correct sequence i.e. 1, 3, 2. Output field will remain String Date. Refer to the documentation: http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/TextFunctions#Basic_example_4