https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448185#M168259 <P>Hey@jip31,</P> <P>You can add these attributes in your props.conf:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Propsconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Propsconf</A></P> <P>TIME_FORMAT = <BR /> TIME_PREFIX = </P> <P>Let me know if this helps!!</P> Tue, 29 Sep 2020 20:33:03 GMT deepashri_123 2020-09-29T20:33:03Z https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448184#M168258 <P>Hi</P> <P>i have a value like this in a field 2018067155420 and i want to format it with this format : yyyymmddhhmmss so<BR /> could you help me please??</P> Thu, 19 Jul 2018 06:25:27 GMT https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448184#M168258 jip31 2018-07-19T06:25:27Z https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448185#M168259 <P>Hey@jip31,</P> <P>You can add these attributes in your props.conf:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Propsconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/7.1.2/Admin/Propsconf</A></P> <P>TIME_FORMAT = <BR /> TIME_PREFIX = </P> <P>Let me know if this helps!!</P> Tue, 29 Sep 2020 20:33:03 GMT https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448185#M168259 deepashri_123 2020-09-29T20:33:03Z https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448186#M168260 <P>hi<BR /> not really<BR /> i just want to format this value</P> Thu, 19 Jul 2018 09:25:45 GMT https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448186#M168260 jip31 2018-07-19T09:25:45Z https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448187#M168261 <P>What do you mean by format this value? Can you give an example of the output you expect of that formatting?</P> Thu, 19 Jul 2018 10:14:03 GMT https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448187#M168261 FrankVl 2018-07-19T10:14:03Z https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448188#M168262 <P>hi<BR /> This value 20180627155420 correspond to the date 2018 06 27 and the hour 15 54 20<BR /> i would like to have finally an EVAL which does 27/06/2018 15:54<BR /> thanks</P> Thu, 19 Jul 2018 11:30:44 GMT https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448188#M168262 jip31 2018-07-19T11:30:44Z https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448189#M168263 <P>Try this:</P> <PRE><CODE>| makeresults | eval date_time = 20180627155420 | eval formatted_date_time = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M") </CODE></PRE> <P>First two lines are just to generate an example, you only need the last line (make sure to adjust the field names to your situation). This code parses the date-time string that you have to a unix timestamp, and then prints that timestamp as per the format you wanted.</P> Thu, 19 Jul 2018 11:43:16 GMT https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448189#M168263 FrankVl 2018-07-19T11:43:16Z https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448190#M168264 <P>Hi</P> <P>i have wrote this but it doesnt works</P> <PRE><CODE>index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon | rex field=LastLogon mode=sed "s/\..*$//" | eval LastLogon = strftime(strptime(date_time,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M") </CODE></PRE> <P>there is a mistake somewhere??</P> Fri, 20 Jul 2018 07:26:44 GMT https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448190#M168264 jip31 2018-07-20T07:26:44Z https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448191#M168265 <P>Yes, like I said, you need to adjust it to your field names. So replace date_time with the field that contains your input. So looking at your example that would be LastLogon.</P> <PRE><CODE> index="windows-wmi" sourcetype="WMI:LastLogon" LastLogon | rex field=LastLogon mode=sed "s/\..*$//" | eval LastLogon = strftime(strptime(LastLogon,"%Y%m%d%H%M%S"),"%d/%m/%Y %H:%M") </CODE></PRE> Fri, 20 Jul 2018 07:47:53 GMT https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448191#M168265 FrankVl 2018-07-20T07:47:53Z https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448192#M168266 <P>you are the best! thanks</P> Fri, 20 Jul 2018 07:57:12 GMT https://community.splunk.com/t5/Splunk-Search/VALUE-FORMAT/m-p/448192#M168266 jip31 2018-07-20T07:57:12Z