topic Re: timeformat for AM/PM in MKTime in Splunk Search

timeformat for AM/PM in MKTime

rgcox1 — Tue, 19 Oct 2010 04:33:54 GMT

What is the timeformat symbol to specify that AM/PM is included in the string? %P appears to work, but results show a difference when the 2 times are exactly the same. PM is simply being stripped instead of adding 12 hours.

source="WinEventLog:*" |eval time=_time|convert timeformat="%m/%d/%Y %H:%M:%S %P" MkTime(WinEventDate) as wtime|eval diff=wtime-time |where diff<0 |Convert ctime(time) as ctime |fields host, diff, WinEventDate, ctime, time, wtime

Thanks

Re: timeformat for AM/PM in MKTime

araitz — Tue, 19 Oct 2010 10:16:24 GMT

Open Group's publication says %p (not sure if lower case matters).

http://www.opengroup.org/onlinepubs/009695399/functions/strptime.html

%p    The locale's equivalent of a.m or p.m.

Can you post an example event that you are having problems with?

Re: timeformat for AM/PM in MKTime

rgcox1 — Thu, 21 Oct 2010 04:01:03 GMT

Example:

10/18/10 08:08:30 PM

Re: timeformat for AM/PM in MKTime

rgcox1 — Thu, 21 Oct 2010 04:01:17 GMT

Good reference. Thought it might be that I was using an upper case H, but tried all variations of UC and LC H with any parameter related to a 12 hour clock. UC H and UC or LC p are the only ones that returned any result, and they always ignore PM.

Re: timeformat for AM/PM in MKTime

alemin — Thu, 02 Feb 2012 08:32:28 GMT

This syntax works on my Splunk ver. 4.2.2 and converts 24 to 12 hours using %I instead of %H

%Y-%m-%d %I:%M%P

example

2012-02-01 05:47pm

Re: timeformat for AM/PM in MKTime

jluste — Thu, 13 Sep 2012 20:27:50 GMT

Here is a Splunk Reference Guide: http://docs.splunk.com/images/1/17/4.2.x_search_language_refcard.pdf

This has a number of wonderfully useful things, the past page devoted to REGEX and Splunk STRPTIME formats.

Re: timeformat for AM/PM in MKTime

griffinpair — Mon, 24 Jul 2017 20:51:48 GMT

Any answer on this? I am having the same issue with 5:18:30 PM showing as 05:18:30 with the following search:

eval time=strftime(round(strptime(full_Time, "%H:%M:%S %p")), "%H:%M:%S")

Re: timeformat for AM/PM in MKTime

griffinpair — Tue, 25 Jul 2017 14:22:04 GMT

%I designates the hour for 12-hr timing format and %H designates the hour for 24-hr timing format. %P needs to be at the end to pick up the am/pm string at the end.

If using a 12-HR time format, 08:08:30 PM would be:

"%I:%M:%S %P"

If using a 24-HR time format, 20:08:30 PM would be:

"%H:%M:%S %P"

Re: timeformat for AM/PM in MKTime

liadal — Thu, 31 Aug 2017 12:33:05 GMT

When the filed type is string with AM/PM Format

This Solution work for me :
strftime(strptime(replace(FirstDepositDate,substr(FirstDepositDate,-2),""),"%m/%d/%Y"),"%m/%d/%Y"),